Splunk Enterprise Security

where to check notable status ? not from ES app but from logs.

srisahitya_v
Communicator

Hello,

My question is regarding "Splunk App for Enterprise Security".

This app will trigger Notables and logging at index=Notable

Once I have change the status of a notable to inprogress Or pending, where it logged?

I would like to make a search query to find out from past 1 month how my team responded/closed the notables.

could you please help.

0 Karma

jkat54
SplunkTrust
SplunkTrust

it’s in the kvstore

They have macros to help you retrieve the data:

http://dev.splunk.com/view/enterprise-security/SP-CAAAFBA.

I believe you’re looking for incident_review:

 | `incident_review`
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!