Splunk Enterprise Security

Splunk ES App incident management for notable events

coolwater77
Explorer

The ES App currently configured to run few correlation searches and when the notable events are created those events can be assigned to an owner(Analyst 1) under the incident review dashboard for further investigation at this point the incident is changed from "new" to "in progress". lets say the Analyst 1 is unable to resolve and close the incident . how can I assign the same incident to a different owner ( Analyst 2) to perform second level investigation by capturing every thing the first level analyst did so far .

Secondly, is there a way to find out metrics about how long the first level analyst took to resolve or re-assign the notable event to a 2nd level support and also to find how long it took to resolve and close the notable events by both the 1st/2nd and 3rd level security analysts?

sheamus69
Communicator

Splunk ES 4.x allows you to create an Investigation and add analysts to it.

The investigation allows for searches, comments, etc to be added to a timeline. It's not perfect, but it might suit what you are trying to do?

0 Karma

sahilyahiya
Explorer

I am also looking for a Incident Review feature which allows us to calculate the time took by the Analyst 1 and Analyst 2 for resolvind the ticket in Incident Review

0 Karma

LukeMurphey
Champion

I broke out your two questions and handled them separately:

How can I assign the same incident to a different owner ( Analyst 2) to perform second level investigation by capturing every thing the first level analyst did so far .

You can re-assign the case in Incident Review (though I'm sure you already know that). The notes from the previous Analyst are not included in the new status but the previous history of the incident still exists. You can see the history of the incident by viewing it on the Incident Review page, showing the details, and clicking "View all review activity for this Notable Event".

Secondly, is there a way to find out metrics about how long the first level analyst took to resolve or re-assign the notable event to a 2nd level support and also to find how long it took to resolve and close the notable events by both the 1st/2nd and 3rd level security analysts?

Viewing all activity of a notable event will give you an idea of the lifecycle of the incident. That said, while it does display the history of the events, it doesn't currently display the amount of time it was in that state. Feel free to open an enhancement request if you want that, it probably wouldn't be too hard to implement.

AndySplunks
Communicator

Have you created any dashboards around this?

I'm looking to create a dashboard showing dwell time for each notable event. So for instance, how long until someone responds, how long until someone closes the event, etc.

Related to that, I'm also looking around in ES to see how to create a dashboard of newly open events, events still open, and events closed.

I'm basically trying to create a notable event management dashboard.

0 Karma

dirkmeeuwsen
Explorer

I am looking to do the same! let me know if you figure anything out and i will do the same. 😃

0 Karma

coolwater77
Explorer

Thanks for the details Luke

0 Karma

wyzandrea
New Member

Good methods for the splunk ES app incident management for notable events.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...