Splunk Enterprise Security

how to write search query to get notable events based on last modified time for a correlation rule?

shravankumarkus
New Member

How do we write search query to get notable events based on last modified time for a correlation rule ?

I want to see notable events based on modifications to the notable event like status update, comment, priority change etc.

Is there a way to get notable events based on modified time instead of earliest and latest times and i would need all fields from notable index?

i found review_time field get updated when we change some field via incident review tab in Splunk ES ?

how do we we write query to get review_time > some epoch time

 <field k='review_time'>
            <value>
                <text>1564640460.15607</text>
            </value>
            <value>
                <text>1564638955.786255</text>
            </value>
            <value>
                <text>1564638489.151153</text>
            </value>
        </field>
0 Karma

jawaharas
Motivator

You can use the macro incident_review or below query (expantion of the macro) to view notable events based on modified time.

| inputlookup append=T incident_review_lookup 
| rename user as reviewer 
| `get_realname(owner)` 
| `get_realname(reviewer)` 
| eval nullstatus=if(isnull(status),"true","false") 
| `get_reviewstatuses` 
| eval status=if((isnull(status) OR isnull(status_label)) AND nullstatus=="false",0,status) 
| eval status_label=if(isnull(status_label) AND nullstatus=="false","Unassigned",status_label) 
| eval status_description=if(isnull(status_description) AND nullstatus=="false","unknown",status_description) 
| eval _time=time 
| `uitime(time)` 
| fields - nullstatus
0 Karma

shravankumarkus
New Member

Thanks @jawaharas

can you please give me a query using incident_review macro to get based on last modified timestamp and to get all the fields of notable event? I'm very new to this and it's difficult for me to understand the expansion

basically i have to get notable events modified for a correlation rule

0 Karma

jawaharas
Motivator

Try below query.

|`incident_review`
| eval last_modified_timestamp=strftime('_time', "%m/%d/%Y %H:%M:%S")
| fields - time
0 Karma

shravankumarkus
New Member

thanks 🙂

i would need all fields from notable index for a notable event and having ( last modified timestamp greater than some configurable time ), basically i have to pass configurable time

0 Karma

jawaharas
Motivator

Questions:
1. Can you list down the fields you need from notable index?
2. Will you hardcode the 'configurable time' value in the query?

0 Karma

shravankumarkus
New Member

basically all fields from notable index, fields *
yes i will calculate last modified from code, so it would be kind of hardcoded in search query

basically i'm firing a REST query from our code

0 Karma

jawaharas
Motivator

@shravankumarkusuma

I don't think you will get 'notable' events fields with 'incident_review' macro. Anyway, you can get the 'incidents' whose modified time is greater than given time (myTime variable in this case).

|`incident_review`
| eval last_modified_timestamp=_time 
| eval myTime=relative_time(time(),"-3d") 
| where last_modified_timestamp>myTime 
| fields - time
0 Karma

jawaharas
Motivator

@shravankumarkusuma

Can you accept the answer if it's helped you? Thanks.

0 Karma

simon_lavigne
Path Finder

To expand on @jawaharas answer you can pass the rule_id value from the incident_review macro to the notable_by_id macro to retrieve the notable details.

| `incident_review` 
| eval last_modified_timestamp=_time 
| eval myTime=relative_time(time(),"-4h") 
| where last_modified_timestamp>myTime 
| fields - time 
| map search=" search `notable_by_id($rule_id$)`"
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...