Splunk Enterprise Security

Query which allows close all notables events considered as FP

d4wc3k
Path Finder

Hello alll

I have following question:
If it is possible to create query which will change owner,status and add note to notable events?
for example with using macro notable I have found all notable which need to be closed/resolved and I want to close them automatically, not by hand,

Thanks for answer

BR
Dawid

0 Karma
1 Solution

d4wc3k
Path Finder

@alonsocaio Thanks a lot for your answer.

On following page:
https://docs.splunk.com/Documentation/ES/6.0.0/API/NotableEventAPIreference

We've got example how to use curl with rest to update notable:

curl -u admin:changeme -k https://localhost:8089/services/notable_update --data "ruleUIDs=29439FBC-FFCB-45FF-93C2-420202012E1E@@notable@@75ecb6a3938d114b29c095f7ee9278b0&comment=Just adding a comment&status=5&urgency=high&newOwner=analyst_name"

My another question do you know simple code in python for use this rest call.

View solution in original post

0 Karma

d4wc3k
Path Finder

@alonsocaio Thanks a lot for your answer.

On following page:
https://docs.splunk.com/Documentation/ES/6.0.0/API/NotableEventAPIreference

We've got example how to use curl with rest to update notable:

curl -u admin:changeme -k https://localhost:8089/services/notable_update --data "ruleUIDs=29439FBC-FFCB-45FF-93C2-420202012E1E@@notable@@75ecb6a3938d114b29c095f7ee9278b0&comment=Just adding a comment&status=5&urgency=high&newOwner=analyst_name"

My another question do you know simple code in python for use this rest call.

0 Karma

alonsocaio
Contributor

I use python requests, above is a simple function that can be used to close notables:

# STATUS
# 0 - Unassigned
# 1 - New
# 2 - In Progress
# 3 - Pending
# 4 - Resolved
# 5 - Closed

# URGENCY
# informational, low, medium, high, critical


status = 5
urgency = 'low'
comment = 'Closed by Python'
new_owner = 'admin'
rule_uids = EVENT_ID


def update_notable(status, urgency, comment, new_owner, rule_uids):
    status = status
    urgency = urgency
    comment = comment
    new_owner = new_owner
    rule_uids = rule_uids

    url = 'https://SPLUNK_SERVER:8089/services/notable_update'

    params = {'ruleUIDs': rule_uids, 'comment': comment, 'status': status, 'urgency': urgency, 'newOwner': new_owner}

    response = requests.request(method='POST', url=url, data=params, verify=False,
                                auth=HTTPBasicAuth('USER', 'PASSWORD'))
    return response.text

Also, this link has some useful python scripts that can help you: https://www.splunk.com/en_us/blog/tips-and-tricks/how-to-edit-notable-events-in-es-programatically.h...

0 Karma

alonsocaio
Contributor

I don't think you will be able to modify the notables from search, but one solution I have found was using the Splunk REST API. Maybe you could use your search query to trigger the REST API call to update the notable events. In my case I'm using a python script to update status, owner, urgency and notes of a notable event.

The following link brings more information about Notable Event API: https://docs.splunk.com/Documentation/ES/6.0.0/API/NotableEventAPIreference

One other possible solution would be to suppress the notable events, but this would just take the events out from Incident Review.

0 Karma
Get Updates on the Splunk Community!

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...