For example: Use the following search to set a custom security_domain, urgency level, severity level, risk_object, risk_object_type, and risk_score to the notable called "Doc Test Notable". , Adding specific properties to the notable using the eval command maps these properties to the output of the notable. Select Configure > Incident Management > New Notable Event.Īdd custom properties to a notable event using the eval command in an SPL search.Note: A notable event created in this way includes tracking fields such as Owner and Status, but does not include the unique fields or links created when a notable event is generated by a correlation search alert action.Ĭreate a notable event based on observations, a finding from a security system outside Splunk, or something else. The Incident Review dashboard displays with your new notable event. Enter a Description for the event that describes why you created the notable event or what needs to be investigated.From an event, view the event details and click Event Actions.Do not create a notable event from notable events on the Incident Review dashboard. You can create a notable event from any indexed event using the Event Actions menu. To grant other users this capability, see Configure users and roles in the Installation and Upgrade Manual.Ĭreate a notable event from an existing event Note: By default, only administrators with the edit_reviewstatuses capability can manually create notable events. You can manually create a notable event from an indexed event, or create one from scratch. Manually create a notable event in Splunk Enterprise Security
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |