Splunk Enterprise Security

Splunk Enterprise Security: How to clone and modify the Incident Review dashboard?

dellytaniasetia
Explorer

Hi

Is it possible to clone/duplicate Incident Review in the Splunk Enterprise Security app? I would like to create 2 Incident Review dashboards and segregate the notable events based on the correlation search or notable events name.

Any advice will be appreciated.

Thank you.

0 Karma
1 Solution

smoir_splunk
Splunk Employee
Splunk Employee

Rather than clone the dashboard, the best way to do this would be to modify the menu navigation to include links to two filtered views of the same incident review dashboard. See http://docs.splunk.com/Documentation/ES/4.5.1/User/ManageSearches#Add_a_link_to_the_ES_menu for instructions on how to do that.

View solution in original post

smoir_splunk
Splunk Employee
Splunk Employee

Rather than clone the dashboard, the best way to do this would be to modify the menu navigation to include links to two filtered views of the same incident review dashboard. See http://docs.splunk.com/Documentation/ES/4.5.1/User/ManageSearches#Add_a_link_to_the_ES_menu for instructions on how to do that.

dellytaniasetia
Explorer

Hi,

Thank you. I have read this, however I can only filter based on the the field available in the form e.g. status
IR - In Progress

My objective is to filter based on the 'notable event name' e.g. notable event windows_xxx in the dashboard and linux_xxxx in the other dashboard.

can it be done using name/search? since, there is a name and search textbox in the original dahsboard to perform filter. if can be done, can you share the field name for that?

thanks

0 Karma

CSmoke
Path Finder

I believe this is what you are looking for

form.source

Display notable events created by the correlation search specified by this parameter. HTML-encode spaces in the correlation search name and use the name that appears in the notable event rather than the name that appears on Content Management. Endpoint - Host With Multiple Infections - Rule form.source=Endpoint%20-%20Host%20With%20Multiple%20Infections%20-%20Rule

http://docs.splunk.com/Documentation/ES/4.7.2/Admin/Customizemenubar#Add_a_link_to_a_filtered_view_o...

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

Hello @dellytaniasetiawan, there should be a way to search for the name of the search in the search box on incident review and use the resulting form tokens added to the URL to create a filtered view similar to IR - In Progress. Unfortunately I'm unable to test what those form tokens would look like because they're affected by a bug and not getting added to the URL. Depending on the version of ES installed, you're likely also affected by that bug.

So yes, it can be done, but I can't yet share the field name to use. I'll keep looking for a way to test, and update here if I track it down.

smoir_splunk
Splunk Employee
Splunk Employee

@dellytaniasetiawan --> try ?form.rule_name=
where rule name is the name of the correlation search (or part of the name). Encode spaces as %20.

For example, to see all notable events created by the correlation search Abnormally High Number of HTTP Method Events By Src, the portion of the URL that you would add to the menu navigation would be:

/app/SplunkEnterpriseSecuritySuite/incident_review?form.rule_name=Abnormally%20High%20Number%20of%20HTTP%20Method%20Events%20By%20Src

You can mimic this by drilling down from the "Top Notable Events" panel of the Security Posture dashboard. Let me know if this works for you, and thanks for your patience!

dellytaniasetia
Explorer

Hi,

Thanks for the help!

0 Karma
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...