If this has already been covered, please provide a link, but I haven't seen anything. My organization uses Splunk Cloud and we have Enterprise Security installed. Does anyone know if there is a way to configure a search to identify when there is already an existing created notable event? As we identify things of interest or things that we'd like to pursue on a day-to-day basis in our logs, we'd like to prevent multiple investigations of the same targets and would like to configure a search to include or exclude those events.
Does not seem to work for me (ES 4.7.2 and above) and it is clear why: owner and status are not saved in the notable index but in a kv store lookup. To lookup these fields you can use the macro "notable"
So this works for me:
`notable` | TABLE host search_name rule_title owner status
I think we can work with this, thank you very much. Now all we'll have to do is figure out exactly how we can use it to accomplish our goals.
Thanks again guys appreciate your help!
Are you asking for a search that would show something like the following? This would be fantastic -- I have no idea if it can be done though.
[Host Name] [Threat Reason] [Notable Event Assigned/In-Process?] [Person Working Case]
ABC123 Malware Yes John Smith
Yeah that'd be great, can someone take a look at this? Anything with the notable event for the new version of ES (and we're currently using Splunk 220.127.116.11 and ES version 4.2.0).