Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk ES 8.2 API note management

Dima
Explorer
a month ago

Hello,

Up until Splunk ES 8.1 Splunk ES has an option to update notable event  using following API:

https://help.splunk.com/en/splunk-enterprise-security-8/rest-api-reference/8.0/notable-event-endpoin...

Starting from Splunk ES 8.1 this API is not present any more.

In Splunk ES 8.2 there is a new API 's:

https://help.splunk.com/en/splunk-enterprise-security-8/api-reference/8.2/splunk-enterprise-security...

and 

https://help.splunk.com/en/splunk-enterprise-security-8/api-reference/8.2/splunk-enterprise-security...

Those API are suppose to support updating notes( comment in old Splunk ES versions ) as part of findings(notable event in old Splunk ES versions).

Apparently both of the API works only with investigation and not with finding  - got error :

{
    "code": "MC_01202",
    "message": "No investigation found mapped to this display id: 0f17658c-9a6c-4de1-9945-b926a3f89c92@@notable",
    "request_id": "d4df853d-a45f-4336-ab34-a4160e78705b"
}
 

Any solution for that ?

Can I still use notable event API from here :https://help.splunk.com/en/splunk-enterprise-security-8/rest-api-reference/8.0/notable-event-endpoin... ?

 

Any help will be appreciated .

 

 

Reply

Dima
Explorer
4 weeks ago

Hi @livehybrid and thank you for an answer. 

The example you provided doesn't work :

 


request :
curl --location 'https://<mysplunk>:8089/servicesNS/nobody/missioncontrol/public/v2/investigations/6237136d-044b-4dd6-9a70-229af0f55bde@@notable@@6237136d044b4dd69a70229af0f55bde/notes' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
--data '{
"title": "Test finding4 for ES 8.2 - new note 8",
"content": "Comment for Test finding4 for ES 8.2 - via new API",
"type": "Task"

}'


response:


{
"code": "MC_01202",
"message": "No investigation found mapped to this display id: 6237136d-044b-4dd6-9a70-229af0f55bde@@notable@@6237136d044b4dd69a70229af0f55bde",
"request_id": "b7e6edd4-498e-45f6-a344-96086203768e"
}

The example that worked for me :

request 2


curl --location 'https://<mysplunk>/servicesNS/nobody/missioncontrol/public/v2/investigations/6237136d-044b-4dd6-9a70-229af0f55bde@@notable@@6237136d044b4dd69a70229af0f55bde/notes?notable_time=-3m' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
--data '{
"title": "Test finding4 for ES 8.2 - new note 16",
"content": "Comment for Test finding4 for ES 8.2 - via new API "
}'

response 2:


{
"id": "e258bd11-5e59-491a-b070-5d5d1af7cedd",
"create_time": 1761639950.3005178,
"update_time": 1761639950.3005178,
"title": "Test finding4 for ES 8.2 - new note 16",
"content": "Comment for Test finding4 for ES 8.2 - via new API ",
"author": {
"username": "developer"
},
"ai_generated": false,
"files": [],
"last_edited_by": null,
"response_plan_info": null,
"source": null,
"source_type": "Incident",
"incident_id": null,
"notable_id": "6237136d-044b-4dd6-9a70-229af0f55bde@@notable@@6237136d044b4dd69a70229af0f55bde"
}

 

The note is created correctly and can be seen in UI.

 

 

 

 

 

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
4 weeks ago

Ah great news, so to confirm for anyone else trying this, the notable_time param is required when creating a note?? I didnt see this in the docs - I'll enquire as to whether the docs arent correct or its a bug that the notable_time must be passed to create a note.

curl --location 'https://<mysplunk>/servicesNS/nobody/missioncontrol/public/v2/investigations/6237136d-044b-4dd6-9a70-229af0f55bde@@notable@@6237136d044b4dd69a70229af0f55bde/notes?notable_time=-3m' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
--data '{
"title": "Test finding4 for ES 8.2 - new note 16",
"content": "Comment for Test finding4 for ES 8.2 - via new API "
}'

 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

Dima
Explorer
4 weeks ago

This specific API is working fine, yes.

But the problem comes  when you try to get notes or update specific note.

The response in most cases will be :

 

{
    "code": "MC_01202",
    "message": "No investigation found mapped to this display id: 6237136d-044b-4dd6-9a70-229af0f55bde@@notable@@6237136d044b4dd69a70229af0f55bde",
    "request_id": "3d497390-1472-41d5-b702-19cf60750d60"
}
 
I suspect the the reason is following .
When we are looking at response from my example we can see following :
 "source_type": "Incident",
 
But when we are looking on documentation example here :
 
we see "source_type": "Task"
 
INHO this is a bug :
1 . "type": "Task" in request is not documented and has no affect
2. Apparently Splunk considered new note connected to an investigation  and not to the finding and  that't why I see an error for any other note-related API
 
 
 
 
 
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
a month ago

Hi @Dima 

Does this work?

curl --request POST \
  --url https://<yourSplunkServer>:8089/servicesNS/nobody/missioncontrol/public/v2/investigations/0f17658c-9a6c-4de1-9945-b926a3f89c92@@notable@@0f17658c9a6c4de19945b926a3f89c92/notes \
  --header 'Accept: application/json' \
  --header 'Authorization: <yourAuthToken>' \
  --header 'Content-Type: application/json' \
  --data '{
  "title": "Note Title",
  "content": "Note content",
  "type": "Task"
}'

 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...