Splunk Enterprise Security

SplunkES plus SOAR: Analyst List, Notable Assignment and Centralized Authentication


Ever tried to assign a SplunkES Notable via Splunk SOAR to have it fail? So you also use centralized authentication such as Okta with your Splunk deployment? Here is what is happening.

SplunkES uses the list of users (cached from SSO and local) as seen in the Settings-Users to build the pull down for ES Notable assignment. This list also matters when assigning notables via the UI such as using Splunk SOAR.

If your analyst has not accessed the SplunkES server at least once they won't show in the SSO cached users.

The search that generates this list is `Threat - Notable Owners - Lookup Gen`

So either make sure any analyst Splunk SOAR might assign a notable to logs into SplunkES at least once. OR make yourself a static lookup table of names and shim it into `Threat - Notable Owners - Lookup Gen`

Just remember the lookup will need two columns; owner,realname.   A modified search might look like the following.

| rest splunk_server=local count=0 /services/authentication/users 
| search capabilities="can_own_notable_events" 
| rename title as owner 
| append 
    [| makeresults 
    | eval owner="unassigned" ] 
| eval _key=owner 
| eval realname=if(isnull(realname) or realname="", null(), realname) 
| table _key owner realname 
| inputlookup append=true static_es_analysts_list 
| dedup owner
| eval _key=owner
| outputlookup notable_owners_lookup
| stats count
Labels (2)
Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...