Splunk Enterprise Security

Splunk App for Enterprise Security: Is there a way to update a notable event via REST API?

harshanagaraj
Explorer

I would like to figure out a way to update an existing notable event via a rest api. I would specifically like to know how to update the 'Severity' or urgency field. The notable events are being created by Enterprise Security (ES) app.

1 Solution

LukeMurphey
Champion

I created a blog post that outlines how to edit notable events using ES' REST API: https://www.splunk.com/blog/2015/04/13/how-to-edit-notable-events-in-es-programatically.html

For example, if you need to change the urgency for an event to 'high' then you would just need to include the updateNotableEvents() function (see the blog post) and then call it (example is in Python):

eventIDs = ['F93A9857-59D8-4AEB-AD97-4F182E0C959E@@notable@@1363d37ec74a79d00e22af26bfe0718b']
updateNotableEvents( sessionKey=sessionKey, comment='Changing the urgency', urgency='high', eventIDs=eventIDs))

View solution in original post

dellytaniasetia
Explorer

@LukeMurphey, I tried the ES' REST API but it seems that it can only be used to edit only the default field: status, urgency, owner, and comments. Anyway to edit the value of new field that I created from Splunk ES > Configure> Incident Management > Incident Review settings.

The objective is:
I created a new field 'incident category' for each notable event in the incident review. The security analyst can assign and edit the category after their investigation. The incident category are pre-defined list (malware, dos, human mistake, and false +).

appreciate your advice.

0 Karma

LukeMurphey
Champion

I created a blog post that outlines how to edit notable events using ES' REST API: https://www.splunk.com/blog/2015/04/13/how-to-edit-notable-events-in-es-programatically.html

For example, if you need to change the urgency for an event to 'high' then you would just need to include the updateNotableEvents() function (see the blog post) and then call it (example is in Python):

eventIDs = ['F93A9857-59D8-4AEB-AD97-4F182E0C959E@@notable@@1363d37ec74a79d00e22af26bfe0718b']
updateNotableEvents( sessionKey=sessionKey, comment='Changing the urgency', urgency='high', eventIDs=eventIDs))

ajgupta2607
New Member
0 Karma

harshanagaraj
Explorer

Works really well. I just wish Splunk provided a little bit more documentation on this api notable_update.
Thank you very much @LukeMurphey.

0 Karma

harshanagaraj
Explorer

Do you happen to know the Java SDK version of this python call:
splunk.rest.simpleRequest('/services/notable_update', sessionKey=sessionKey, postargs=args)
?
Thanks.

0 Karma

harshanagaraj
Explorer

Thank you very much for your time, @LukeMurphey. I will go through this example and let you know how it pans out in my case. I am assuming that just like event_id, event_hash is also unique to a Notable Event. Also why did you rename the argument here?
args['ruleUIDs'] = eventIDs
Where is it defined that eventIDs is named as the ruleUIDs argument?
Thanks again.

0 Karma

LukeMurphey
Champion

There is. Let me write something up. I'll probably make it a blog entry. I'll include some sample code too in order to make it easy.

harshanagaraj
Explorer

Thanks for your time Luke. I look forward to your response. Thanks in advance.

0 Karma

harshanagaraj
Explorer

@LukeMurphey, Did you ever get a chance to look at this one? Would you be using Java Splunk Development Kit for this purpose or does Splunk expose an API to accomplish this?
Thanks in advance for your time.

0 Karma

LukeMurphey
Champion

I created a draft post over the weekend; just giving a final review before I hit publish. Hoping to get this done today.

I'm not using the JavaScript SDK for it. ES does have an API for it. The example I am giving is in Python. Would you prefer an example in JavaScript?

0 Karma

harshanagaraj
Explorer

Thanks again Luke.
Either one (Python or Java) would be fine. As long as I understand the APIs that are being used. Just to be clear of my ask..
I have notables events in an index named notable. I need to be able to update the Severity or Urgency to a new value on an existing Notable Event.
Look forward to your blog post.
Thanks.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

What version are you using?

0 Karma

harshanagaraj
Explorer

Thanks for the response Martin. Splunk Version is 6.2.2.
ES App version is: 3.2.2

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...