Building Better Notables in Splunk ES

Notables in Splunk Enterprise Security (ES)

Notables in Splunk Enterprise Security (ES) are security-related events that require further investigation or action by security analysts. These notables are created by rules in Splunk ES that detect suspicious or anomalous behavior in the security data. Enhanced notables are only possible on correlation searches.

Contributing Events

• Add a search to display the search results leading to the notables.
• Utilize the “Drill-down Search” field within the notables to view the events.

Next Steps Instructions

• Include clear instructions within the notables to guide the next steps for analysts.
• Make use of the “Next Steps” section within the notables.

Convert Alerts to Correlation Searches

• Correlation Searches provide advanced capabilities for investigating events
• To transform a search into a correlation search, add the following parameters: ¹

# savedsearches.conf
action.correlationsearch = 0
action.correlationsearch.enabled = 1
action.correlationsearch.label = "rule_name"
description = "description"

Data Enrichment with Asset Details

• Enhance your assets with additional information such as hostnames or departments for users.
• Utilize the Asset & Identity Framework for data enrichment. ²

Customizing the “Incident Review” Dashboard

Changing Table Attributes

• Update the settings to change the “Table Attributes” to “Incident Review”:
  • Go to Enterprise Security -> Configure -> Incident Management -> Incident Review Settings
  • Enter your desired values in the “Incident Review - Table Attributes” field.

Using Saved Filters for Faster Filtering

• Customize the default filter view according to your requirements.
• Set your filters and save them as new filters for quick access.

Adding More Data to Event Details View

• To add data to a notable, extract the relevant information from the search results and include it in the notable.
• Extract the field using the following steps:
  • Correlation Search -> Notable -> Asset Extraction
• Add the field to the “Incident Review” configuration:
  • Go to Enterprise Security -> Configure -> Incident Management -> Incident Review Settings
  • Enter your values in the “Incident Review - Event Attributes” field.

use throttling to prevent immediatley re-triggering

After a correlation search has been triggered, you probably don’t want it to immediately re-trigger again for the same issue. That is where throttling comes into place. [^3]

• Go to Enterprise Security -> Configure -> Content -> Content Management
• click on your correlation search
• define a window duration
  • if an event matches all of the Fields to group by no new alert is created. After the window ends, the next matching event creates a new alert
• define the Fields to group by
  • If an event matches all the fields listed here, the correlation search does not create a new alert

References

• Configure correlation searches
• Optimizing correlation searches in Enterprise Security
• Audit your correlation searches against your own Best Practices automatically

[^3] [Throttle the number of response actions generated by a correlation search][https://docs.splunk.com/Documentation/ES/7.3.0/Admin/Configurecorrelationsearches?ref=hk#Throttle_the_number_of_response_actions_generated_by_a_correlation_search]

1. correlationsearches.conf parameter translation to savedsearches.conf ↩

2. Asset & Identity for Splunk Enterprise Security - Part 1: Contextualizing Systems ↩