Splunk Enterprise Security

SplunkES plus SOAR: Analyst List, Notable Assignment and Centralized Authentication


Ever tried to assign a SplunkES Notable via Splunk SOAR to have it fail? So you also use centralized authentication such as Okta with your Splunk deployment? Here is what is happening.

SplunkES uses the list of users (cached from SSO and local) as seen in the Settings-Users to build the pull down for ES Notable assignment. This list also matters when assigning notables via the UI such as using Splunk SOAR.

If your analyst has not accessed the SplunkES server at least once they won't show in the SSO cached users.

The search that generates this list is `Threat - Notable Owners - Lookup Gen`

So either make sure any analyst Splunk SOAR might assign a notable to logs into SplunkES at least once. OR make yourself a static lookup table of names and shim it into `Threat - Notable Owners - Lookup Gen`

Just remember the lookup will need two columns; owner,realname.   A modified search might look like the following.

| rest splunk_server=local count=0 /services/authentication/users 
| search capabilities="can_own_notable_events" 
| rename title as owner 
| append 
    [| makeresults 
    | eval owner="unassigned" ] 
| eval _key=owner 
| eval realname=if(isnull(realname) or realname="", null(), realname) 
| table _key owner realname 
| inputlookup append=true static_es_analysts_list 
| dedup owner
| eval _key=owner
| outputlookup notable_owners_lookup
| stats count
Labels (2)
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...