Splunk Enterprise Security

customizing fields in incident review tickets

coolwater77
Explorer

Can I customized the fields that I see for an incident ticket for the notable event in the incident review dashboard.

For example if I want to assign the compliance field that shows its for PCI/SOX/HIPPA/GLBA....etc

cpeteman
Contributor

Can you add more detail to the Example please, thanks!

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

Hi - you need to use assets.csv to set a wildcard entry.

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

the short and easy answer is the use the free-form search to look for bunit="whatever". To add another form field would require editing the incident_review.xml, which will cause upgrade problems.

0 Karma

coolwater77
Explorer

Thank you for the details.

Also, if I have to create a new filter for the Business Unit in the incident review dashboard. How can I do it. The default filters that I currently see are only

"Status" , "Urgency" , "Owner" , "Title" , "Security Domain" , "Governance" , " Search"

I just wanted to add one more filter for "Bussiness Unit"

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

Sorry, didn't get a notification...
Configure > Assets > Edit, after your specific machine entries add a network range entry. http://docs.splunk.com/Documentation/ES/2.4/Install/Assetlist#Asset_fields

0 Karma

coolwater77
Explorer

Oh ok. can you please help me understand how i should update the asset.csv file ( you mean the lookup file?) and also where to add the wild card entry

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

Hi,

if the fields you want are covered in the CIM, I believe you can just use the map_notable_fields macro at the end of your search. More information on this here: http://docs.splunk.com/Documentation/ES/2.4/Install/ModifyCorrelationSearches#Raw_event_searches

If you want to use a field that is not in the CIM, it's more involved: http://docs.splunk.com/Documentation/ES/2.4/User/FAQ#I_want_a_custom_field_in_the_Incident_Review_da...

coolwater77
Explorer

Thanks , I basically wanted to add a "src_bunit" field to my notable event. I checked the notable2.html file and the section under it does have the below listed under it

'src_bunit' : 'Source Business Unit'

Lets say if raw event data that caused to generate a notable event does not have a 'src_bunit' in it is that why I am not able to see that field in the notable event. Can I force to include the source bussiness unit details somehow

0 Karma

dhazekamp_splun
Splunk Employee
Splunk Employee

"src_bunit" can come from a number of places, but initially it is introduced via an asset or identity lookup (these run automatically). There are a number of ways to persist this into your notable events:

  1. Retain the field using a transforming command. (i.e. values(src_bunit) as src_bunit)
  2. map_notable_fields is only relevant if your search does not have a transforming command (contains _raw)
  3. If your notable events contain a subject (src/dest/dvc/orig_host) or an identity field (src_user,user) we re-introduce "src_bunit" as part of the asset/identity lookups performed on the notable event. This is OUTPUTNEW, so these lookups will not overwrite the field if it was persisted using #1.

David

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...