Splunk Enterprise Security

Splunk App for Enterprise Security 3.3.1: Why are drilldowns from Notable Events not being bound to event time?

jeff
Contributor

Enterprise Security 3.3.1, Splunk 6.2.4.

I have notable events being generated by correlation searches (for instance, Short-lived account detected, but there are others). For each notable in the Incident Review dashboard, there are links to View original event and View account change events of $user$ (or whatever is set under the correlation search's "drill-down name"), but rather than being bound to the time of the original event, it's reverting to the default (last 15 minutes in our case) and showing no results.

What should the notable event be keying off of for "event time"?

I'm presuming we should be passing a time field or two from the correlation search to key off of? I want to be able to similarly set earliest and latest default times for custom notables I'm working on, but the only way I can seem to get it to work is to hard code earliest and latest in my search string, which makes it more difficult for my analysts to pick different time boundaries (via zoom, dragging around in the timeline, or using the time picker) .

0 Karma
1 Solution

jeff
Contributor

According to Splunk Support, this is consistent with the current design of Enterprise Security. Prior to 3.0, there was no setting at all for time constraints being set in Notable Events. The earliest and latest offsets, which key off of the notable event, were added at that point, but not setting these at all apparently revert to the system default ("All Time" out of the box, -15m in our case, as set in ui-prefs.conf).

I asked that an enhancement request be submitted.

View solution in original post

0 Karma

jeff
Contributor

According to Splunk Support, this is consistent with the current design of Enterprise Security. Prior to 3.0, there was no setting at all for time constraints being set in Notable Events. The earliest and latest offsets, which key off of the notable event, were added at that point, but not setting these at all apparently revert to the system default ("All Time" out of the box, -15m in our case, as set in ui-prefs.conf).

I asked that an enhancement request be submitted.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...