Splunk Enterprise Security

Enterprise Security Incident Review - link to other dashboard

DMohn
Motivator

Hi Splunkers,

I want to customize the Enterprise Security Incident Review dashboard to include a link to another dashboard instead of a drilldown search when viewing single events.

Example:
We have several "Threat activity detected" notables. The "Contributing Events" drilldown leads to another search window. We want to change this drilldown (or include another link) to open a dashboard with parameters from the notable event instead.

Does anyone know how to achieve this?

Cheers
Dennis

1 Solution

LukeMurphey
Champion

The easiest way to do this that I can think of is a workflow action. You can use workflow actions directly from Incident Review since it includes any workflow actions declared on the system (both the field and event actions).

View solution in original post

LukeMurphey
Champion

The easiest way to do this that I can think of is a workflow action. You can use workflow actions directly from Incident Review since it includes any workflow actions declared on the system (both the field and event actions).

DMohn
Motivator

Okay, found my answer myself already. Thanks for your help, workflow actions were exactly what I was looking for!

0 Karma

DMohn
Motivator

Thanks, that looks exactly like the solution I need... Anyhow, I can't get the link to fully work. Is there a chance to just include the dashboard link without having to specify the FQDN of my searchhead? I want this to work on any search head.

0 Karma

bruceclarke
Contributor

Hi @DMohn,

Have you taken a look at the docs here? http://docs.splunk.com/Documentation/Splunk/6.0.2/Viz/Dynamicdrilldownindashboardsandforms

In particular, if you have a table view you can do something like the following:

<dashboard>
 <label>Dashboard with dynamic drilldown to a Splunk form</label>
  <row>
    <table>
      <searchString>
         index="_internal" group="per_sourcetype_thruput" |
         chart sum(kbps) over series
      </searchString>
      <title>Top sourcetypes (drilldown example)</title>
      <earliestTime>-60m</earliestTime>
      <latestTime>now</latestTime>
      <option name="count">15</option>
      <option name="displayRowNumbers">false</option>
      <option name="showPager">true</option>
      <option name="drilldown">row</option>

     <drilldown>
       <link>
       <![CDATA[
  /app/dashboard_examples/form_table2?form.sourcetype=$row.sourcetype$&earliest=$earliest$&latest=$latest$
       ]]>
       </link>
     </drilldown>      
    </table>
  </row>
</dashboard>

The <drilldown> XML element is the key there. In that example, clicking on a row of the table will take you to a new dashboard (form_table2 in the dashboard_examples app) with $row.sourcetype$ and the $earliest$ and $latest$ values pre-filled.

0 Karma

DMohn
Motivator

Thanks for the suggestion, but I don't want to modify the IR dashboard itself, if there are other options. Any updates to the Enterprise Security Suite would reverse my changes.

0 Karma

bruceclarke
Contributor

Makes sense. I had assumed this was a custom dashboard.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...