Splunk Enterprise Security

Query which allows close all notables events considered as FP

d4wc3k
Path Finder

Hello alll

I have following question:
If it is possible to create query which will change owner,status and add note to notable events?
for example with using macro notable I have found all notable which need to be closed/resolved and I want to close them automatically, not by hand,

Thanks for answer

BR
Dawid

0 Karma
1 Solution

d4wc3k
Path Finder

@alonsocaio Thanks a lot for your answer.

On following page:
https://docs.splunk.com/Documentation/ES/6.0.0/API/NotableEventAPIreference

We've got example how to use curl with rest to update notable:

curl -u admin:changeme -k https://localhost:8089/services/notable_update --data "ruleUIDs=29439FBC-FFCB-45FF-93C2-420202012E1E@@notable@@75ecb6a3938d114b29c095f7ee9278b0&comment=Just adding a comment&status=5&urgency=high&newOwner=analyst_name"

My another question do you know simple code in python for use this rest call.

View solution in original post

0 Karma

d4wc3k
Path Finder

@alonsocaio Thanks a lot for your answer.

On following page:
https://docs.splunk.com/Documentation/ES/6.0.0/API/NotableEventAPIreference

We've got example how to use curl with rest to update notable:

curl -u admin:changeme -k https://localhost:8089/services/notable_update --data "ruleUIDs=29439FBC-FFCB-45FF-93C2-420202012E1E@@notable@@75ecb6a3938d114b29c095f7ee9278b0&comment=Just adding a comment&status=5&urgency=high&newOwner=analyst_name"

My another question do you know simple code in python for use this rest call.

View solution in original post

0 Karma

alonsocaio
Contributor

I use python requests, above is a simple function that can be used to close notables:

# STATUS
# 0 - Unassigned
# 1 - New
# 2 - In Progress
# 3 - Pending
# 4 - Resolved
# 5 - Closed

# URGENCY
# informational, low, medium, high, critical


status = 5
urgency = 'low'
comment = 'Closed by Python'
new_owner = 'admin'
rule_uids = EVENT_ID


def update_notable(status, urgency, comment, new_owner, rule_uids):
    status = status
    urgency = urgency
    comment = comment
    new_owner = new_owner
    rule_uids = rule_uids

    url = 'https://SPLUNK_SERVER:8089/services/notable_update'

    params = {'ruleUIDs': rule_uids, 'comment': comment, 'status': status, 'urgency': urgency, 'newOwner': new_owner}

    response = requests.request(method='POST', url=url, data=params, verify=False,
                                auth=HTTPBasicAuth('USER', 'PASSWORD'))
    return response.text

Also, this link has some useful python scripts that can help you: https://www.splunk.com/en_us/blog/tips-and-tricks/how-to-edit-notable-events-in-es-programatically.h...

0 Karma

alonsocaio
Contributor

I don't think you will be able to modify the notables from search, but one solution I have found was using the Splunk REST API. Maybe you could use your search query to trigger the REST API call to update the notable events. In my case I'm using a python script to update status, owner, urgency and notes of a notable event.

The following link brings more information about Notable Event API: https://docs.splunk.com/Documentation/ES/6.0.0/API/NotableEventAPIreference

One other possible solution would be to suppress the notable events, but this would just take the events out from Incident Review.

0 Karma

Tune In & Win!

Don't miss out on your
chance to take home free
prizes by helping our players
save the Splunk Cloudom!

Dungeons & Data
Monsters: Splunk O11y
Day Editions Games
stream live:
5/4 at 6:30pm PST
5/5 at 7:00pm PST
on