Hi,
We have a requirement to add some additional fields to events under "Incident Review" for IOCs (I have looked at some of the mappings in notables2.html
), however, they don't give us quite enough flexibility.
How do I add these additional fields under the heading "Additional Fields" (e.g. dest
displays as "Destination")?
I have had a look at the following however changing the HTML or log_review.conf
did not appear to make any difference:
Thanks,
MHibbin
I've verified that the advice of @jbrodsky is correct. The log_review.conf controls the fields displayed in Incident Review. If you wish to add fields, copy the entire $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/default/log_review.conf
to SA-ThreatIntelligence/local
and add the new fields under the stanza:
[incident_review]
event_attributes =
An example is available in: SA-ThreatIntelligence/README/log_review.conf.example
. You can verify the changes with: splunk cmd btool log_review list —debug
. Note: if you tack the new fields on to the bottom of the file, beware of leaving a trailing comma on the bottom/last field definition. That bit me while testing the changes.
The default behavior is that the field name will not appear in the NE if the search results do not contain data for that field. If you don't see your new fields, test the output again with a field that appears in all results, such as index. Refresh the Incident Review dashboard after changing log_review.conf
for the changes to take effect.
I hope that helps!
I've verified that the advice of @jbrodsky is correct. The log_review.conf controls the fields displayed in Incident Review. If you wish to add fields, copy the entire $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/default/log_review.conf
to SA-ThreatIntelligence/local
and add the new fields under the stanza:
[incident_review]
event_attributes =
An example is available in: SA-ThreatIntelligence/README/log_review.conf.example
. You can verify the changes with: splunk cmd btool log_review list —debug
. Note: if you tack the new fields on to the bottom of the file, beware of leaving a trailing comma on the bottom/last field definition. That bit me while testing the changes.
The default behavior is that the field name will not appear in the NE if the search results do not contain data for that field. If you don't see your new fields, test the output again with a field that appears in all results, such as index. Refresh the Incident Review dashboard after changing log_review.conf
for the changes to take effect.
I hope that helps!
BTW: you can use an online JSON parser to verify that the fields are valid JSON. I generally use this one: http://json.parser.online.fr/
That comma is very important . I encountered an issue where the commas were missing after "User Email"} :
{"field": "user_email", "label": "User Email"}\
this caused the Incident Review - Event Attributes to be hidden and the add new entry button to disappear as well. It was not until those changes were made that it all worked out.
{"field": "user_email", "label": "User Email"},\
Thanks @ekost & @jbrodsky, I have just configured a test instance with version 3.3.1 and this solution appears to be working correctly.
In our current version the log_review.conf
file does not have the same contents (namely missing table_attributes
and event_attributes
)
Looks like I will have to schedule in some upgrade work!
Thanks for your help.
Best,
Matt
Can you verify what you're trying to accomplish? My interpretation is, you would like the correlation search to grab additional fields and provide/display them in a notable event. But your description could also be interpreted as adding a new event action from an existing field in a notable event. And @esix is offering another perspective.
@ekost,
My correlation search is generating all the fields required (i.e. I could add them to the title/description as variables), however I would like them to appear under "Additional Fields", where there is currently items such as:
Obviously these are fields that are referenced in the CIM; I would like to add ones, e.g:
The intention is that I we can add these fields to the notables/events in Incident Review, so that the review is more streamlined and also so that we can create workflow actions on the IOC themselves (e.g. Open Source checks, checks on other systems internally, etc.) for each instance.
We do have other use cases, not just IOC information.
Hope this is a bit clearer.
Thanks,
Matt
So Matt, I'm late to the game, but you mention that changes to log_review.conf are not making any difference. Can you go through the more detailed example given by @ekost and let us know what the results are? I'm curious as to the output of btool...
Have you seen this portion of the documentation : http://docs.splunk.com/Documentation/ES/3.3.1/User/IncidentReviewdashboard#Modify_the_Incident_Revie... ?
It describes removing fields, but it should hold the same to adding fields, but I havent tried this yet. If you try, do let us know the results.
Thanks @esix,
My log_review.conf file only has the following:
[notable_editing]
allow_urgency_override=true
[comment]
minimum_length=20
is_required=false
I also used btool to identify any other instances, however, that was the only one.
So don't really have much to go on.