Splunk Enterprise Security

Where does the incident review saved filters get saved to?

cmeisch
Path Finder

I want to create a default search filter for ALL users that go into ES Incident Review.  You can create a new filter but this I believe gets saved in your profile...  I go into /splunk/etc/users and I would think the app that supports incident review would have it but nope.  Ideas?

cmeisch_0-1681224236848.png

 

0 Karma
1 Solution

ccl0utier
Splunk Employee
Splunk Employee

@cmeisch I haven't done extensive testing, but the only way using Saved Filters seems to be to copy the KVStore entry to each user's context (one entry for each user).  For example, entries under nobody currently won't show up for any user.

You could alternatively add a link in your ES navigation that points to a default filter for Incident Review (or point users to a bookmarked URL for ES) that uses the correct URL parameters... for example:

/en-US/app/SplunkEnterpriseSecuritySuite/incident_review?earliest=-24h%40h&latest=now&status=0&status=1&status=2&status=3

See here for a little more details:

https://docs.splunk.com/Documentation/ES/7.1.1/Admin/Customizemenubar#Add_a_link_to_a_filtered_view_...

Hope that helps.

View solution in original post

ccl0utier
Splunk Employee
Splunk Employee

Hi @cmeisch ,

This is stored in a KV store collection named filter_sets in the SA-ThreatIntelligence application under the relevant user's context.

For example, if I have created a saved filter named Open incidents as the admin user as follows:

ir_saved_filter_example.png

... Splunk will look at this REST endpoint:

/en-US/splunkd/__raw/servicesNS/admin/SA-ThreatIntelligence/storage/collections/data/filter_sets/61e0d46bfce79543a15dd844

Which contains:

lookup_example.png

 

0 Karma

ccl0utier
Splunk Employee
Splunk Employee

Just to add to my previous post, beware of using the UI to update the filter_sets KV store, for example through the Splunk App for Lookup File Editing.  Using that method is likely to save the JSON filter content as an escaped string, which will result in the Incident Review page not loading anymore (due to JS errors - which can be seen in the Browser JS Console).

Instead use the REST API endpoints directly (via curl or a script).  Here an example that worked for me:

  • Copy the JSON of a Saved Filter and adapt it if needed
  • Insert the new Saved Filter into the filter_sets collection under the target user's context (named "test" in my example):
curl -k -u admin:changeme \
https://localhost:8089/servicesNS/test/SA-ThreatIntelligence/storage/collections/data/filter_sets \
-H 'Content-Type: application/json' \
-d '{"filters": {"type": {"label": "Type", "values": [] }, "urgency": {"label": "Urgency", "values": [] }, "status": {"label": "Status", "values": ["0", "1", "2", "3"] }, "owner": {"label": "Owner", "values": [] }, "domain": {"label": "Domain", "values": [] }, "search": {"label": "Search", "values": ""}, "source": {"label": "Source", "values": [] }, "tag": {"label": "Tags", "values": [] }, "earliest": {"label": "Earliest", "values": "-24h@h"}, "latest": {"label": "Latest", "values": "now"}, "xref": {"label": "Associations", "values": [] } }, "name": "Open Incidents", "_user": "admin"}'
  • Re-read the newly added KV Store entry:
curl -k -u admin:changeme \
https://localhost:8089/servicesNS/test/SA-ThreatIntelligence/storage/collections/data/filter_sets
  • Make sure the data returned is properly formatted JSON (as opposed to a escaped string) and note the _key value that was assigned.
  • (Optionally) If you would like to make the new Saved Filter the default for the target user, add a defaultFilterSet entry with the _key value taken above to the user's user-prefs.conf file (under $SPLUNK_HOME/etc/users/test/user-prefs/local/user-prefs.conf).  For example:
[general]
tz = America/New_York
search_use_advanced_editor = true
search_line_numbers = false
search_auto_format = false
defaultFilterSet = 64497a238e2e60128c6be2e3

Have the target log out and log back in again, and you should be all set.

0 Karma

cmeisch
Path Finder

Thanks for the response and info @ccl0utier !!! My goal is to set a default filter for all who log into this ES.   Is this possible?

0 Karma

ccl0utier
Splunk Employee
Splunk Employee

@cmeisch I haven't done extensive testing, but the only way using Saved Filters seems to be to copy the KVStore entry to each user's context (one entry for each user).  For example, entries under nobody currently won't show up for any user.

You could alternatively add a link in your ES navigation that points to a default filter for Incident Review (or point users to a bookmarked URL for ES) that uses the correct URL parameters... for example:

/en-US/app/SplunkEnterpriseSecuritySuite/incident_review?earliest=-24h%40h&latest=now&status=0&status=1&status=2&status=3

See here for a little more details:

https://docs.splunk.com/Documentation/ES/7.1.1/Admin/Customizemenubar#Add_a_link_to_a_filtered_view_...

Hope that helps.

cmeisch
Path Finder

Thank you sir!!!

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...