Splunk Enterprise Security

Splunk App for Enterprise Security: How to add additional fields to events under "Incident Review"?

MHibbin
Influencer

Hi,

We have a requirement to add some additional fields to events under "Incident Review" for IOCs (I have looked at some of the mappings in notables2.html), however, they don't give us quite enough flexibility.

How do I add these additional fields under the heading "Additional Fields" (e.g. dest displays as "Destination")?

I have had a look at the following however changing the HTML or log_review.conf did not appear to make any difference:

http://answers.splunk.com/answers/183891/configuring-additional-fields-for-a-notable-event.html?utm_...

Thanks,

MHibbin

1 Solution

ekost
Splunk Employee
Splunk Employee

I've verified that the advice of @jbrodsky is correct. The log_review.conf controls the fields displayed in Incident Review. If you wish to add fields, copy the entire $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/default/log_review.conf to SA-ThreatIntelligence/local and add the new fields under the stanza:

[incident_review]
event_attributes = 

An example is available in: SA-ThreatIntelligence/README/log_review.conf.example. You can verify the changes with: splunk cmd btool log_review list —debug. Note: if you tack the new fields on to the bottom of the file, beware of leaving a trailing comma on the bottom/last field definition. That bit me while testing the changes.

The default behavior is that the field name will not appear in the NE if the search results do not contain data for that field. If you don't see your new fields, test the output again with a field that appears in all results, such as index. Refresh the Incident Review dashboard after changing log_review.conf for the changes to take effect.

I hope that helps!

View solution in original post

ekost
Splunk Employee
Splunk Employee

I've verified that the advice of @jbrodsky is correct. The log_review.conf controls the fields displayed in Incident Review. If you wish to add fields, copy the entire $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/default/log_review.conf to SA-ThreatIntelligence/local and add the new fields under the stanza:

[incident_review]
event_attributes = 

An example is available in: SA-ThreatIntelligence/README/log_review.conf.example. You can verify the changes with: splunk cmd btool log_review list —debug. Note: if you tack the new fields on to the bottom of the file, beware of leaving a trailing comma on the bottom/last field definition. That bit me while testing the changes.

The default behavior is that the field name will not appear in the NE if the search results do not contain data for that field. If you don't see your new fields, test the output again with a field that appears in all results, such as index. Refresh the Incident Review dashboard after changing log_review.conf for the changes to take effect.

I hope that helps!

LukeMurphey
Champion

BTW: you can use an online JSON parser to verify that the fields are valid JSON. I generally use this one: http://json.parser.online.fr/

0 Karma

jrivas_splunk
Splunk Employee
Splunk Employee

That comma is very important . I encountered an issue where the commas were missing after "User Email"} :
{"field": "user_email", "label": "User Email"}\

this caused the Incident Review - Event Attributes to be hidden and the add new entry button to disappear as well. It was not until those changes were made that it all worked out.

{"field": "user_email", "label": "User Email"},\

0 Karma

MHibbin
Influencer

Thanks @ekost & @jbrodsky, I have just configured a test instance with version 3.3.1 and this solution appears to be working correctly.

In our current version the log_review.conffile does not have the same contents (namely missing table_attributes and event_attributes)

Looks like I will have to schedule in some upgrade work!

Thanks for your help.

Best,

Matt

0 Karma

ekost
Splunk Employee
Splunk Employee

Can you verify what you're trying to accomplish? My interpretation is, you would like the correlation search to grab additional fields and provide/display them in a notable event. But your description could also be interpreted as adding a new event action from an existing field in a notable event. And @esix is offering another perspective.

0 Karma

MHibbin
Influencer

@ekost,

My correlation search is generating all the fields required (i.e. I could add them to the title/description as variables), however I would like them to appear under "Additional Fields", where there is currently items such as:

  • Destination
  • Destination Expected
  • Destination Requires AntiVirus
  • Process
  • User

Obviously these are fields that are referenced in the CIM; I would like to add ones, e.g:

  • IOC Source
  • IOC Description
  • IOC Classification
  • IOC Date
  • Etc,

The intention is that I we can add these fields to the notables/events in Incident Review, so that the review is more streamlined and also so that we can create workflow actions on the IOC themselves (e.g. Open Source checks, checks on other systems internally, etc.) for each instance.

We do have other use cases, not just IOC information.

Hope this is a bit clearer.

Thanks,

Matt

0 Karma

jbrodsky_splunk
Splunk Employee
Splunk Employee

So Matt, I'm late to the game, but you mention that changes to log_review.conf are not making any difference. Can you go through the more detailed example given by @ekost and let us know what the results are? I'm curious as to the output of btool...

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Have you seen this portion of the documentation : http://docs.splunk.com/Documentation/ES/3.3.1/User/IncidentReviewdashboard#Modify_the_Incident_Revie... ?

It describes removing fields, but it should hold the same to adding fields, but I havent tried this yet. If you try, do let us know the results.

0 Karma

MHibbin
Influencer

Thanks @esix,

My log_review.conf file only has the following:

[notable_editing]
allow_urgency_override=true

[comment]
minimum_length=20
is_required=false

I also used btool to identify any other instances, however, that was the only one.

So don't really have much to go on.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...