Need to pull all the data from the investigation panel (Enterprise Security) and send to third party (Archer, ServiceNow) via API
For starters, i need to pull the information from the investigation panel so that i can run the python script to push the data to the API.
I wrote a blog that describes how to do this: https://www.splunk.com/blog/2015/04/13/how-to-edit-notable-events-in-es-programatically.html
See also the docs here: https://docs.splunk.com/Documentation/ES/latest/API/NotableEventAPIreference
@LukeMurphey For some strange reason, i dont see any event_id in my notable index.
Secondly, i want to fetch the notable info(not update the notable).
Can you please help me out
if you run the notable macro search, you should see rule_id and event_id [ they are the same fields]
`notable` | table _time , source, event_id, rule_id
Thanks @LukeMurphey for the links, but not seeing info related to Investigations performed against notables. Am I missing something?
I might have mistakenly assumed that "investigation" was a reference to a notable. If so, then my answer is incorrect.
@ajaylowes: could you clarify if you mean a notable event (what you see on Incident Review) or an investigation (what you see on the "Investigations" page)?
@LukeMurphey This is what we see on the "investigation" page