Solved: Query which allows close all notables events consi...

d4wc3k · ‎11-29-2019

Hello alll

I have following question:
If it is possible to create query which will change owner,status and add note to notable events?
for example with using macro notable I have found all notable which need to be closed/resolved and I want to close them automatically, not by hand,

Thanks for answer

BR
Dawid

d4wc3k · ‎12-02-2019

@alonsocaio Thanks a lot for your answer.

On following page:
https://docs.splunk.com/Documentation/ES/6.0.0/API/NotableEventAPIreference

We've got example how to use curl with rest to update notable:

curl -u admin:changeme -k https://localhost:8089/services/notable_update --data "ruleUIDs=29439FBC-FFCB-45FF-93C2-420202012E1E@@notable@@75ecb6a3938d114b29c095f7ee9278b0&comment=Just adding a comment&status=5&urgency=high&newOwner=analyst_name"

My another question do you know simple code in python for use this rest call.

View solution in original post

d4wc3k · ‎12-02-2019

@alonsocaio Thanks a lot for your answer.

On following page:
https://docs.splunk.com/Documentation/ES/6.0.0/API/NotableEventAPIreference

We've got example how to use curl with rest to update notable:

curl -u admin:changeme -k https://localhost:8089/services/notable_update --data "ruleUIDs=29439FBC-FFCB-45FF-93C2-420202012E1E@@notable@@75ecb6a3938d114b29c095f7ee9278b0&comment=Just adding a comment&status=5&urgency=high&newOwner=analyst_name"

My another question do you know simple code in python for use this rest call.

alonsocaio · ‎12-02-2019

I use python requests, above is a simple function that can be used to close notables:

# STATUS
# 0 - Unassigned
# 1 - New
# 2 - In Progress
# 3 - Pending
# 4 - Resolved
# 5 - Closed

# URGENCY
# informational, low, medium, high, critical


status = 5
urgency = 'low'
comment = 'Closed by Python'
new_owner = 'admin'
rule_uids = EVENT_ID


def update_notable(status, urgency, comment, new_owner, rule_uids):
    status = status
    urgency = urgency
    comment = comment
    new_owner = new_owner
    rule_uids = rule_uids

    url = 'https://SPLUNK_SERVER:8089/services/notable_update'

    params = {'ruleUIDs': rule_uids, 'comment': comment, 'status': status, 'urgency': urgency, 'newOwner': new_owner}

    response = requests.request(method='POST', url=url, data=params, verify=False,
                                auth=HTTPBasicAuth('USER', 'PASSWORD'))
    return response.text

Also, this link has some useful python scripts that can help you: https://www.splunk.com/en_us/blog/tips-and-tricks/how-to-edit-notable-events-in-es-programatically.h...

alonsocaio · ‎11-29-2019

I don't think you will be able to modify the notables from search, but one solution I have found was using the Splunk REST API. Maybe you could use your search query to trigger the REST API call to update the notable events. In my case I'm using a python script to update status, owner, urgency and notes of a notable event.

The following link brings more information about Notable Event API: https://docs.splunk.com/Documentation/ES/6.0.0/API/NotableEventAPIreference

One other possible solution would be to suppress the notable events, but this would just take the events out from Incident Review.

Query which allows close all notables events considered as FP

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!