Splunk Enterprise Security

customizing fields in incident review tickets

Explorer

Can I customized the fields that I see for an incident ticket for the notable event in the incident review dashboard.

For example if I want to assign the compliance field that shows its for PCI/SOX/HIPPA/GLBA....etc

Contributor

Can you add more detail to the Example please, thanks!

0 Karma

Splunk Employee
Splunk Employee

Hi - you need to use assets.csv to set a wildcard entry.

0 Karma

Splunk Employee
Splunk Employee

the short and easy answer is the use the free-form search to look for bunit="whatever". To add another form field would require editing the incident_review.xml, which will cause upgrade problems.

0 Karma

Explorer

Thank you for the details.

Also, if I have to create a new filter for the Business Unit in the incident review dashboard. How can I do it. The default filters that I currently see are only

"Status" , "Urgency" , "Owner" , "Title" , "Security Domain" , "Governance" , " Search"

I just wanted to add one more filter for "Bussiness Unit"

0 Karma

Splunk Employee
Splunk Employee

Sorry, didn't get a notification...
Configure > Assets > Edit, after your specific machine entries add a network range entry. http://docs.splunk.com/Documentation/ES/2.4/Install/Assetlist#Asset_fields

0 Karma

Explorer

Oh ok. can you please help me understand how i should update the asset.csv file ( you mean the lookup file?) and also where to add the wild card entry

0 Karma

Splunk Employee
Splunk Employee

Hi,

if the fields you want are covered in the CIM, I believe you can just use the map_notable_fields macro at the end of your search. More information on this here: http://docs.splunk.com/Documentation/ES/2.4/Install/ModifyCorrelationSearches#Raw_event_searches

If you want to use a field that is not in the CIM, it's more involved: http://docs.splunk.com/Documentation/ES/2.4/User/FAQ#I_want_a_custom_field_in_the_Incident_Review_da...

Explorer

Thanks , I basically wanted to add a "src_bunit" field to my notable event. I checked the notable2.html file and the section under it does have the below listed under it

'src_bunit' : 'Source Business Unit'

Lets say if raw event data that caused to generate a notable event does not have a 'src_bunit' in it is that why I am not able to see that field in the notable event. Can I force to include the source bussiness unit details somehow

0 Karma

Splunk Employee
Splunk Employee

"src_bunit" can come from a number of places, but initially it is introduced via an asset or identity lookup (these run automatically). There are a number of ways to persist this into your notable events:

  1. Retain the field using a transforming command. (i.e. values(src_bunit) as src_bunit)
  2. map_notable_fields is only relevant if your search does not have a transforming command (contains _raw)
  3. If your notable events contain a subject (src/dest/dvc/orig_host) or an identity field (src_user,user) we re-introduce "src_bunit" as part of the asset/identity lookups performed on the notable event. This is OUTPUTNEW, so these lookups will not overwrite the field if it was persisted using #1.

David

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!