Splunk Enterprise Security
Highlighted

Splunk Enterprise Security: How to add fields to notable event after invoking adaptive response action?

Explorer

Hi,

I am wondering if it is possible to have my adaptive response actions append fields to the notable which triggered them. I am in a situation where my adaptive response action returns a link, and I would like for that link to be displayed alongside all other interesting fields in the notable.

I followed http://blogs.splunk.com/2015/04/13/how-to-edit-notable-events-in-es-programatically/ and tried to provide the REST API an argument like args['my_link'] and received the following error :

{"message":"ValueError: One of comment, owner, status, urgency is required.","success":false}

Is there anyway to update the notable and append new fields to it based on the results of adaptive response actions?

0 Karma
Highlighted

Re: Splunk Enterprise Security: How to add fields to notable event after invoking adaptive response action?

Splunk Employee
Splunk Employee

You will need to pass the argument as dictionary to the REST handler.

Try to set args['comment'] = 'my_link'

Highlighted

Re: Splunk Enterprise Security: How to add fields to notable event after invoking adaptive response action?

Explorer

I'm not trying to add a comment, I'm trying to add a whole new field to the notable

0 Karma
Highlighted

Re: Splunk Enterprise Security: How to add fields to notable event after invoking adaptive response action?

Splunk Employee
Splunk Employee

I don't think you can do it by just adding another field to the args.

Maybe just put the link in the comment field?

0 Karma
Highlighted

Re: Splunk Enterprise Security: How to add fields to notable event after invoking adaptive response action?

New Member

Did you ever find an answer to adding fields to "additional fields" after a notable was generated?

0 Karma
Highlighted

Re: Splunk Enterprise Security: How to add fields to notable event after invoking adaptive response action?

SplunkTrust
SplunkTrust

This may answer the question though it is not trivial.
http://www.georgestarcher.com/splunk-enterprise-security-enhancing-incident-review/

0 Karma