Splunk Enterprise Security

Can i get all the related events when an notable as been created ?

nandha_2
Engager

I have configured "Correlation Search" and I would like to grab all the related events for that notable (by skipping the drilldown search option) . ? is that possible ?

0 Karma

jstoner_splunk
Splunk Employee
Splunk Employee

Can you help me understand a bit more how you would envision this to be viewed? From the Incident Response screen, the analyst has the flexibility to go to the drill-down, but also allow them to pivot to other context enrichment and other dashboards instead. Are you asking about getting all related events via that Incident Response screen or potentially creating your own search/dashboard?

0 Karma

nandha_2
Engager

Sure, When I create correlation search it creates notables. once the notables is created in the "index notable" i do a couple of things:

1) I used "Run a script" option to send the notables to another server called "A".

2) Now "A" receives all the notables and it will search for the related events (aka) drilldown search to get all the related events for that incident.

its painful process to do it, when i get a 10K incidents per day. what i request:

1) is there any way for me to pull the events when the notable is created, so A needn't do a push method to retrieve all the related events per incidents.

What i think:
Splunk already should store all the events in memory and once the events are matched by the c.search a notables is created, can i grab that events along with the incidents ?

0 Karma

jstoner_splunk
Splunk Employee
Splunk Employee

At this point the approach where you pull the notables and then issue drill-downs to get greater specificity may be the best approach. You could have a script run when a notable is created that runs the drill down search for that criteria automatically though.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...