I'm looking to export notable events from the Incident Review dashboard in Splunk Enterprise Security to a CSV/Excel file. I need to include the following details:
- Notable Name (Rule Name)
- Notable Triggered Time
- Time Assigned for Investigation
- Conclusion (e.g., True Positive (TP), False Positive (FP), Benign True Positive (BTP))
- Open/Closed Status
What would be the best SPL query or method to extract this information? Also, is there a way to automate this export on a scheduled basis?
Currently using the SPL query:
`notable`
| eval original_time=strftime(orig_time,"%c")
| eval reviewing_time=strftime(review_time,"%c")
| table search_name, comment, disposition_label, original_time, reviewing_time, owner, search_name, reviewer, status, status_description, status_label, urgency, username
and I'm getting results. However, I'm not getting an ID to locate and go through an individual notable if I wanted to. How can I search for a specific notable? Is there a tracking number for a notable? I'd like to include it in my table as well.
