Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Enterprise Security: Is there a way to write a search to identify when there is already an existing notable event?

eliyyah
Explorer
‎09-14-2016 10:27 AM

If this has already been covered, please provide a link, but I haven't seen anything. My organization uses Splunk Cloud and we have Enterprise Security installed. Does anyone know if there is a way to configure a search to identify when there is already an existing created notable event? As we identify things of interest or things that we'd like to pursue on a day-to-day basis in our logs, we'd like to prevent multiple investigations of the same targets and would like to configure a search to include or exclude those events.

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

haley_swarnapat
Path Finder
‎09-16-2016 08:30 AM

It seems that my suggestion works, now I repost as answer to get karma 🙂

index=notable | TABLE host rule_title creator owner status

View solution in original post

Reply
Solved! Jump to solution

jonasmeier
Explorer
‎05-15-2018 04:08 AM

Does not seem to work for me (ES 4.7.2 and above) and it is clear why: owner and status are not saved in the notable index but in a kv store lookup. To lookup these fields you can use the macro "notable"
So this works for me:

`notable`  | TABLE host search_name rule_title owner status
0 Karma
Reply
Solved! Jump to solution
Solution

haley_swarnapat
Path Finder
‎09-16-2016 08:30 AM

It seems that my suggestion works, now I repost as answer to get karma 🙂

index=notable | TABLE host rule_title creator owner status

Reply
Solved! Jump to solution

haley_swarnapat
Path Finder
‎09-16-2016 02:14 AM

Is this what you mean?

index=notable | TABLE host rule_title creator owner status

Reply
Solved! Jump to solution

eliyyah
Explorer
‎09-16-2016 05:37 AM

I think we can work with this, thank you very much. Now all we'll have to do is figure out exactly how we can use it to accomplish our goals.

Thanks again guys appreciate your help!

0 Karma
Reply
Solved! Jump to solution

draracle
Engager
‎09-15-2016 05:58 AM

Are you asking for a search that would show something like the following? This would be fantastic -- I have no idea if it can be done though.

[Host Name] [Threat Reason] [Notable Event Assigned/In-Process?] [Person Working Case]
ABC123 Malware Yes John Smith

0 Karma
Reply
Solved! Jump to solution

eliyyah
Explorer
‎09-15-2016 06:35 AM

Yeah that'd be great, can someone take a look at this? Anything with the notable event for the new version of ES (and we're currently using Splunk 6.4.1.2 and ES version 4.2.0).

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...