Splunk Enterprise Security

Splunk App for Enterprise Security 3.3.1: Why are drilldowns from Notable Events not being bound to event time?

jeff
Contributor

Enterprise Security 3.3.1, Splunk 6.2.4.

I have notable events being generated by correlation searches (for instance, Short-lived account detected, but there are others). For each notable in the Incident Review dashboard, there are links to View original event and View account change events of $user$ (or whatever is set under the correlation search's "drill-down name"), but rather than being bound to the time of the original event, it's reverting to the default (last 15 minutes in our case) and showing no results.

What should the notable event be keying off of for "event time"?

I'm presuming we should be passing a time field or two from the correlation search to key off of? I want to be able to similarly set earliest and latest default times for custom notables I'm working on, but the only way I can seem to get it to work is to hard code earliest and latest in my search string, which makes it more difficult for my analysts to pick different time boundaries (via zoom, dragging around in the timeline, or using the time picker) .

0 Karma
1 Solution

jeff
Contributor

According to Splunk Support, this is consistent with the current design of Enterprise Security. Prior to 3.0, there was no setting at all for time constraints being set in Notable Events. The earliest and latest offsets, which key off of the notable event, were added at that point, but not setting these at all apparently revert to the system default ("All Time" out of the box, -15m in our case, as set in ui-prefs.conf).

I asked that an enhancement request be submitted.

View solution in original post

0 Karma

jeff
Contributor

According to Splunk Support, this is consistent with the current design of Enterprise Security. Prior to 3.0, there was no setting at all for time constraints being set in Notable Events. The earliest and latest offsets, which key off of the notable event, were added at that point, but not setting these at all apparently revert to the system default ("All Time" out of the box, -15m in our case, as set in ui-prefs.conf).

I asked that an enhancement request be submitted.

0 Karma
Get Updates on the Splunk Community!

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...