Enterprise Security 3.3.1, Splunk 6.2.4.
I have notable events being generated by correlation searches (for instance, Short-lived account detected, but there are others). For each notable in the Incident Review dashboard, there are links to View original event
and View account change events of $user$
(or whatever is set under the correlation search's "drill-down name"), but rather than being bound to the time of the original event, it's reverting to the default (last 15 minutes in our case) and showing no results.
What should the notable event be keying off of for "event time"?
I'm presuming we should be passing a time field or two from the correlation search to key off of? I want to be able to similarly set earliest and latest default times for custom notables I'm working on, but the only way I can seem to get it to work is to hard code earliest and latest in my search string, which makes it more difficult for my analysts to pick different time boundaries (via zoom, dragging around in the timeline, or using the time picker) .
According to Splunk Support, this is consistent with the current design of Enterprise Security. Prior to 3.0, there was no setting at all for time constraints being set in Notable Events. The earliest and latest offsets, which key off of the notable event, were added at that point, but not setting these at all apparently revert to the system default ("All Time" out of the box, -15m in our case, as set in ui-prefs.conf).
I asked that an enhancement request be submitted.
According to Splunk Support, this is consistent with the current design of Enterprise Security. Prior to 3.0, there was no setting at all for time constraints being set in Notable Events. The earliest and latest offsets, which key off of the notable event, were added at that point, but not setting these at all apparently revert to the system default ("All Time" out of the box, -15m in our case, as set in ui-prefs.conf).
I asked that an enhancement request be submitted.