We would like to dynamically assign an owner of a notable event?
Our soc would like to round robin the incoming events, does anyone know of a way to do this or
This cannot be done in the moment of the event creation. However, you could implement a saved search, that modifies the corresponding KV store lookup (es_notable_events) and assigns a owner there.
I could imagine doing it the following way:
- create a lookup table containing the usernames of the SOC analysts that should have tickets assigned, and a ID for them
- create another lookup table containing the ID of the last user, that had a ticket assigned
- get the latest created notable events (see lookup table mentioned above)
- get the ID of the user that had a ticket assigned last
- cycle through your anaylst lookup, and alter the es_notable_events lookup by assigning an analyst to each unassigned ticket
- schedule this search to run every 5 mins or so
This might need some tuning to make it work for your case, but I assume the basic principle should be okay...
This can now be done easily via SPL using https://splunkbase.splunk.com/app/5211/
WRT to the round-robining, a simple way to do this might be to have a lookup with all the analysts and a field indicating the last time a notable was assigned to them (in epoch time). This would be used in your search with the app above to both update the lookup and figure out who is next to have a notable assigned.
This cannot be done in the moment of the event creation. However, you could implement a saved search, that modifies the corresponding KV store lookup (es_notable_events) and assigns a owner there.
I could imagine doing it the following way:
- create a lookup table containing the usernames of the SOC analysts that should have tickets assigned, and a ID for them
- create another lookup table containing the ID of the last user, that had a ticket assigned
- get the latest created notable events (see lookup table mentioned above)
- get the ID of the user that had a ticket assigned last
- cycle through your anaylst lookup, and alter the es_notable_events lookup by assigning an analyst to each unassigned ticket
- schedule this search to run every 5 mins or so
This might need some tuning to make it work for your case, but I assume the basic principle should be okay...
This sounds like a very plausible idea. It looks like ES provides a rest endpoint to do something similar.
I would like to suggest this be added to product road map for future updates, soc environments are challenging and dynamic with a variety of staff and skill levels. ES needs to do better to meet these challenges. Currently we are just picking things out of a queue which is kind of silly.
At the moment, assignment of notable is done outside the notable creation. So, not sure if there is any automated way. Having said that, if an analyst is off/sick/away, how do you then assign the notables to 'owners/analysts'?
you may end-up creating a process/job to look for open/un-assigned notable and assign them based on a lookup of active 'owners' for that day of the week.
thank you