Solved: Query which allows close all notables events consi...

d4wc3k · ‎11-29-2019

Hello alll

I have following question:
If it is possible to create query which will change owner,status and add note to notable events?
for example with using macro notable I have found all notable which need to be closed/resolved and I want to close them automatically, not by hand,

Thanks for answer

BR
Dawid

d4wc3k · ‎12-02-2019

@alonsocaio Thanks a lot for your answer.

On following page:
https://docs.splunk.com/Documentation/ES/6.0.0/API/NotableEventAPIreference

We've got example how to use curl with rest to update notable:

curl -u admin:changeme -k https://localhost:8089/services/notable_update --data "ruleUIDs=29439FBC-FFCB-45FF-93C2-420202012E1E@@notable@@75ecb6a3938d114b29c095f7ee9278b0&comment=Just adding a comment&status=5&urgency=high&newOwner=analyst_name"

My another question do you know simple code in python for use this rest call.

View solution in original post

d4wc3k · ‎12-02-2019

@alonsocaio Thanks a lot for your answer.

On following page:
https://docs.splunk.com/Documentation/ES/6.0.0/API/NotableEventAPIreference

We've got example how to use curl with rest to update notable:

curl -u admin:changeme -k https://localhost:8089/services/notable_update --data "ruleUIDs=29439FBC-FFCB-45FF-93C2-420202012E1E@@notable@@75ecb6a3938d114b29c095f7ee9278b0&comment=Just adding a comment&status=5&urgency=high&newOwner=analyst_name"

My another question do you know simple code in python for use this rest call.

alonsocaio · ‎12-02-2019

I use python requests, above is a simple function that can be used to close notables:

# STATUS
# 0 - Unassigned
# 1 - New
# 2 - In Progress
# 3 - Pending
# 4 - Resolved
# 5 - Closed

# URGENCY
# informational, low, medium, high, critical


status = 5
urgency = 'low'
comment = 'Closed by Python'
new_owner = 'admin'
rule_uids = EVENT_ID


def update_notable(status, urgency, comment, new_owner, rule_uids):
    status = status
    urgency = urgency
    comment = comment
    new_owner = new_owner
    rule_uids = rule_uids

    url = 'https://SPLUNK_SERVER:8089/services/notable_update'

    params = {'ruleUIDs': rule_uids, 'comment': comment, 'status': status, 'urgency': urgency, 'newOwner': new_owner}

    response = requests.request(method='POST', url=url, data=params, verify=False,
                                auth=HTTPBasicAuth('USER', 'PASSWORD'))
    return response.text

Also, this link has some useful python scripts that can help you: https://www.splunk.com/en_us/blog/tips-and-tricks/how-to-edit-notable-events-in-es-programatically.h...

alonsocaio · ‎11-29-2019

I don't think you will be able to modify the notables from search, but one solution I have found was using the Splunk REST API. Maybe you could use your search query to trigger the REST API call to update the notable events. In my case I'm using a python script to update status, owner, urgency and notes of a notable event.

The following link brings more information about Notable Event API: https://docs.splunk.com/Documentation/ES/6.0.0/API/NotableEventAPIreference

One other possible solution would be to suppress the notable events, but this would just take the events out from Incident Review.

Query which allows close all notables events considered as FP

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

Query which allows close all notables events considered as FP

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?