Splunk Enterprise Security

customizing fields in incident review tickets

coolwater77
Explorer

Can I customized the fields that I see for an incident ticket for the notable event in the incident review dashboard.

For example if I want to assign the compliance field that shows its for PCI/SOX/HIPPA/GLBA....etc

cpeteman
Contributor

Can you add more detail to the Example please, thanks!

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

Hi - you need to use assets.csv to set a wildcard entry.

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

the short and easy answer is the use the free-form search to look for bunit="whatever". To add another form field would require editing the incident_review.xml, which will cause upgrade problems.

0 Karma

coolwater77
Explorer

Thank you for the details.

Also, if I have to create a new filter for the Business Unit in the incident review dashboard. How can I do it. The default filters that I currently see are only

"Status" , "Urgency" , "Owner" , "Title" , "Security Domain" , "Governance" , " Search"

I just wanted to add one more filter for "Bussiness Unit"

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

Sorry, didn't get a notification...
Configure > Assets > Edit, after your specific machine entries add a network range entry. http://docs.splunk.com/Documentation/ES/2.4/Install/Assetlist#Asset_fields

0 Karma

coolwater77
Explorer

Oh ok. can you please help me understand how i should update the asset.csv file ( you mean the lookup file?) and also where to add the wild card entry

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

Hi,

if the fields you want are covered in the CIM, I believe you can just use the map_notable_fields macro at the end of your search. More information on this here: http://docs.splunk.com/Documentation/ES/2.4/Install/ModifyCorrelationSearches#Raw_event_searches

If you want to use a field that is not in the CIM, it's more involved: http://docs.splunk.com/Documentation/ES/2.4/User/FAQ#I_want_a_custom_field_in_the_Incident_Review_da...

coolwater77
Explorer

Thanks , I basically wanted to add a "src_bunit" field to my notable event. I checked the notable2.html file and the section under it does have the below listed under it

'src_bunit' : 'Source Business Unit'

Lets say if raw event data that caused to generate a notable event does not have a 'src_bunit' in it is that why I am not able to see that field in the notable event. Can I force to include the source bussiness unit details somehow

0 Karma

dhazekamp_splun
Splunk Employee
Splunk Employee

"src_bunit" can come from a number of places, but initially it is introduced via an asset or identity lookup (these run automatically). There are a number of ways to persist this into your notable events:

  1. Retain the field using a transforming command. (i.e. values(src_bunit) as src_bunit)
  2. map_notable_fields is only relevant if your search does not have a transforming command (contains _raw)
  3. If your notable events contain a subject (src/dest/dvc/orig_host) or an identity field (src_user,user) we re-introduce "src_bunit" as part of the asset/identity lookups performed on the notable event. This is OUTPUTNEW, so these lookups will not overwrite the field if it was persisted using #1.

David

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...