Splunk Enterprise Security

how to write search query to get notable events based on last modified time for a correlation rule?

New Member

How do we write search query to get notable events based on last modified time for a correlation rule ?

I want to see notable events based on modifications to the notable event like status update, comment, priority change etc.

Is there a way to get notable events based on modified time instead of earliest and latest times and i would need all fields from notable index?

i found review_time field get updated when we change some field via incident review tab in Splunk ES ?

how do we we write query to get review_time > some epoch time

 <field k='review_time'>
            <value>
                <text>1564640460.15607</text>
            </value>
            <value>
                <text>1564638955.786255</text>
            </value>
            <value>
                <text>1564638489.151153</text>
            </value>
        </field>
0 Karma

Motivator

You can use the macro incident_review or below query (expantion of the macro) to view notable events based on modified time.

| inputlookup append=T incident_review_lookup 
| rename user as reviewer 
| `get_realname(owner)` 
| `get_realname(reviewer)` 
| eval nullstatus=if(isnull(status),"true","false") 
| `get_reviewstatuses` 
| eval status=if((isnull(status) OR isnull(status_label)) AND nullstatus=="false",0,status) 
| eval status_label=if(isnull(status_label) AND nullstatus=="false","Unassigned",status_label) 
| eval status_description=if(isnull(status_description) AND nullstatus=="false","unknown",status_description) 
| eval _time=time 
| `uitime(time)` 
| fields - nullstatus
0 Karma

New Member

Thanks @jawaharas

can you please give me a query using incident_review macro to get based on last modified timestamp and to get all the fields of notable event? I'm very new to this and it's difficult for me to understand the expansion

basically i have to get notable events modified for a correlation rule

0 Karma

Motivator

Try below query.

|`incident_review`
| eval last_modified_timestamp=strftime('_time', "%m/%d/%Y %H:%M:%S")
| fields - time
0 Karma

New Member

thanks 🙂

i would need all fields from notable index for a notable event and having ( last modified timestamp greater than some configurable time ), basically i have to pass configurable time

0 Karma

Motivator

Questions:
1. Can you list down the fields you need from notable index?
2. Will you hardcode the 'configurable time' value in the query?

0 Karma

New Member

basically all fields from notable index, fields *
yes i will calculate last modified from code, so it would be kind of hardcoded in search query

basically i'm firing a REST query from our code

0 Karma

Motivator

@shravankumarkusuma

I don't think you will get 'notable' events fields with 'incident_review' macro. Anyway, you can get the 'incidents' whose modified time is greater than given time (myTime variable in this case).

|`incident_review`
| eval last_modified_timestamp=_time 
| eval myTime=relative_time(time(),"-3d") 
| where last_modified_timestamp>myTime 
| fields - time
0 Karma

Motivator

@shravankumarkusuma

Can you accept the answer if it's helped you? Thanks.

0 Karma

Path Finder

To expand on @jawaharas answer you can pass the rule_id value from the incident_review macro to the notable_by_id macro to retrieve the notable details.

| `incident_review` 
| eval last_modified_timestamp=_time 
| eval myTime=relative_time(time(),"-4h") 
| where last_modified_timestamp>myTime 
| fields - time 
| map search=" search `notable_by_id($rule_id$)`"
0 Karma