Splunk Enterprise Security

Splunk App for Enterprise Security: Is there a way to update a notable event via REST API?

Explorer

I would like to figure out a way to update an existing notable event via a rest api. I would specifically like to know how to update the 'Severity' or urgency field. The notable events are being created by Enterprise Security (ES) app.

1 Solution

Champion

I created a blog post that outlines how to edit notable events using ES' REST API: https://www.splunk.com/blog/2015/04/13/how-to-edit-notable-events-in-es-programatically.html

For example, if you need to change the urgency for an event to 'high' then you would just need to include the updateNotableEvents() function (see the blog post) and then call it (example is in Python):

eventIDs = ['F93A9857-59D8-4AEB-AD97-4F182E0C959E@@notable@@1363d37ec74a79d00e22af26bfe0718b']
updateNotableEvents( sessionKey=sessionKey, comment='Changing the urgency', urgency='high', eventIDs=eventIDs))

View solution in original post

@LukeMurphey, I tried the ES' REST API but it seems that it can only be used to edit only the default field: status, urgency, owner, and comments. Anyway to edit the value of new field that I created from Splunk ES > Configure> Incident Management > Incident Review settings.

The objective is:
I created a new field 'incident category' for each notable event in the incident review. The security analyst can assign and edit the category after their investigation. The incident category are pre-defined list (malware, dos, human mistake, and false +).

appreciate your advice.

0 Karma

Champion

I created a blog post that outlines how to edit notable events using ES' REST API: https://www.splunk.com/blog/2015/04/13/how-to-edit-notable-events-in-es-programatically.html

For example, if you need to change the urgency for an event to 'high' then you would just need to include the updateNotableEvents() function (see the blog post) and then call it (example is in Python):

eventIDs = ['F93A9857-59D8-4AEB-AD97-4F182E0C959E@@notable@@1363d37ec74a79d00e22af26bfe0718b']
updateNotableEvents( sessionKey=sessionKey, comment='Changing the urgency', urgency='high', eventIDs=eventIDs))

View solution in original post

Explorer

Works really well. I just wish Splunk provided a little bit more documentation on this api notable_update.
Thank you very much @LukeMurphey.

0 Karma

Explorer

Do you happen to know the Java SDK version of this python call:
splunk.rest.simpleRequest('/services/notable_update', sessionKey=sessionKey, postargs=args)
?
Thanks.

0 Karma

Explorer

Thank you very much for your time, @LukeMurphey. I will go through this example and let you know how it pans out in my case. I am assuming that just like event_id, event_hash is also unique to a Notable Event. Also why did you rename the argument here?
args['ruleUIDs'] = eventIDs
Where is it defined that eventIDs is named as the ruleUIDs argument?
Thanks again.

0 Karma

Champion

There is. Let me write something up. I'll probably make it a blog entry. I'll include some sample code too in order to make it easy.

Explorer

Thanks for your time Luke. I look forward to your response. Thanks in advance.

0 Karma

Explorer

@LukeMurphey, Did you ever get a chance to look at this one? Would you be using Java Splunk Development Kit for this purpose or does Splunk expose an API to accomplish this?
Thanks in advance for your time.

0 Karma

Champion

I created a draft post over the weekend; just giving a final review before I hit publish. Hoping to get this done today.

I'm not using the JavaScript SDK for it. ES does have an API for it. The example I am giving is in Python. Would you prefer an example in JavaScript?

0 Karma

Explorer

Thanks again Luke.
Either one (Python or Java) would be fine. As long as I understand the APIs that are being used. Just to be clear of my ask..
I have notables events in an index named notable. I need to be able to update the Severity or Urgency to a new value on an existing Notable Event.
Look forward to your blog post.
Thanks.

0 Karma

SplunkTrust
SplunkTrust

What version are you using?

0 Karma

Explorer

Thanks for the response Martin. Splunk Version is 6.2.2.
ES App version is: 3.2.2

0 Karma