Splunk Enterprise Security

Old Notable event marked as unassigned.

Splunk Employee
Splunk Employee

We pushed the new app out on ES cluster. After the app push, old notable events are showing up as "assigned" and our SOC analysts are having to deal with 100s of old notable events.

0 Karma

Splunk Employee
Splunk Employee

Here is a procedure that could be attempted to fix the old notable that got unassigned.
- Check if the notable are unassigned on all SHC, if not maybe restore lookup incident_review_lookup
- Check for backup and see if restoring may be an option.
- The other option will be to re-build incident_review from audit data, which means we can only restore data for last 30days ( assuming audit retention is 30 days) Which means we can only rebuild for last 30 days.

  • Look at the incident_review_look that is stored in KVstore to see what is there and how many:
  • |inputlookup incident_review_lookup

  • Back up the incident_review_lookup:

  • |inputlookup incident_review_lookup |outputlookup support.csv

  • Verify you back up the incident_review_lookup:

  • |inputlookup support.csv

  • Check audit for notable events set time picker to all time verify the data looks good:

    index=_audit sourcetype=incident_review
    | rex "@@\w+,(?[^,]+),(?[^,]),(?[^,]),(?[^,]),(?.</em>),(?<user>[^,]+),(?<something>[^,]+)&quot; <br> | eval time=_time <br> | table comment owner rule_id rule_name status time urgency user </p></li> <li><p>Add the events found in Audit to the incident_review_lookup make sure time picker is set to all time: </p> <p>index=_audit sourcetype=incident_review <br> | rex &quot;@@\w+,(?<rule_name>[^,]+),(?<status>[^,]<em>),(?<owner>[^,]</em>),(?<urgency>[^,]<em>),(?<comment>.</em>),(?<user>[^,]+),(?<something>[^,]+)&quot; <br> | eval time=_time <br> | table comment owner rule_id rule_name status time urgency user <br> | outputlookup append=t incident_review_lookup </p></li> <li><p>Verify that your original events plus the audit event are now in inciden_review_lookup: </p></li> <li><p>|inputlookup incident_review_lookup</p></li> </ul> </ul>

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!