Hi
Is it possible to clone/duplicate Incident Review in the Splunk Enterprise Security app? I would like to create 2 Incident Review dashboards and segregate the notable events based on the correlation search or notable events name.
Any advice will be appreciated.
Thank you.
Rather than clone the dashboard, the best way to do this would be to modify the menu navigation to include links to two filtered views of the same incident review dashboard. See http://docs.splunk.com/Documentation/ES/4.5.1/User/ManageSearches#Add_a_link_to_the_ES_menu for instructions on how to do that.
Rather than clone the dashboard, the best way to do this would be to modify the menu navigation to include links to two filtered views of the same incident review dashboard. See http://docs.splunk.com/Documentation/ES/4.5.1/User/ManageSearches#Add_a_link_to_the_ES_menu for instructions on how to do that.
Hi,
Thank you. I have read this, however I can only filter based on the the field available in the form e.g. status
IR - In Progress
My objective is to filter based on the 'notable event name' e.g. notable event windows_xxx in the dashboard and linux_xxxx in the other dashboard.
can it be done using name/search? since, there is a name and search textbox in the original dahsboard to perform filter. if can be done, can you share the field name for that?
thanks
I believe this is what you are looking for
form.source
Display notable events created by the correlation search specified by this parameter. HTML-encode spaces in the correlation search name and use the name that appears in the notable event rather than the name that appears on Content Management. Endpoint - Host With Multiple Infections - Rule form.source=Endpoint%20-%20Host%20With%20Multiple%20Infections%20-%20Rule
Hello @dellytaniasetiawan, there should be a way to search for the name of the search in the search box on incident review and use the resulting form tokens added to the URL to create a filtered view similar to IR - In Progress. Unfortunately I'm unable to test what those form tokens would look like because they're affected by a bug and not getting added to the URL. Depending on the version of ES installed, you're likely also affected by that bug.
So yes, it can be done, but I can't yet share the field name to use. I'll keep looking for a way to test, and update here if I track it down.
@dellytaniasetiawan --> try ?form.rule_name=
where rule name is the name of the correlation search (or part of the name). Encode spaces as %20.
For example, to see all notable events created by the correlation search Abnormally High Number of HTTP Method Events By Src, the portion of the URL that you would add to the menu navigation would be:
/app/SplunkEnterpriseSecuritySuite/incident_review?form.rule_name=Abnormally%20High%20Number%20of%20HTTP%20Method%20Events%20By%20Src
You can mimic this by drilling down from the "Top Notable Events" panel of the Security Posture dashboard. Let me know if this works for you, and thanks for your patience!
Hi,
Thanks for the help!