Splunk Enterprise Security

SplunkES plus SOAR: Analyst List, Notable Assignment and Centralized Authentication

starcher
Influencer

Ever tried to assign a SplunkES Notable via Splunk SOAR to have it fail? So you also use centralized authentication such as Okta with your Splunk deployment? Here is what is happening.

SplunkES uses the list of users (cached from SSO and local) as seen in the Settings-Users to build the pull down for ES Notable assignment. This list also matters when assigning notables via the UI such as using Splunk SOAR.

If your analyst has not accessed the SplunkES server at least once they won't show in the SSO cached users.

The search that generates this list is `Threat - Notable Owners - Lookup Gen`

So either make sure any analyst Splunk SOAR might assign a notable to logs into SplunkES at least once. OR make yourself a static lookup table of names and shim it into `Threat - Notable Owners - Lookup Gen`

Just remember the lookup will need two columns; owner,realname.   A modified search might look like the following.

| rest splunk_server=local count=0 /services/authentication/users 
| search capabilities="can_own_notable_events" 
| rename title as owner 
| append 
    [| makeresults 
    | eval owner="unassigned" ] 
| eval _key=owner 
| eval realname=if(isnull(realname) or realname="", null(), realname) 
| table _key owner realname 
| inputlookup append=true static_es_analysts_list 
| dedup owner
| eval _key=owner
| outputlookup notable_owners_lookup
| stats count
Labels (2)
Get Updates on the Splunk Community!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...

4 Ways the Splunk Community Helps You Prepare for .conf25

.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...