You can reuse saved views or make edits to existing views based on specific fields. Reuse the grouping of notable events by specific fields during an investigation by saving filtered views. See Add a link to a filtered view of Incident Review in Administer Splunk Enterprise Security. If you want to see a filtered view of Incident Review by default, ask your ES admin to modify the navigation menu in Enterprise Security to link directly to a filtered view. After you create a tag, you can use it to filter the notable events on the page. Click Edit Tags in the field actions menu for a notable event field such as Title, Status, or Owner to add new tags or modify existing ones. If the notable event is suppressed, you will not be able to see it on the Incident Review page when filtering on short ID.Īdditionally, you can simplify searching and add identifiers to notable events using tags. However, the short ID filter dropdown lists all short IDs, including notable events that are suppressed. If you added notable events to investigations, or generated short IDs for notable events to share them with other analysts, you can filter by the Associations filter to quickly view the notable events associated with a specific investigation or the notable event represented by a short identifier. ![]() Type a Search Processing Language (SPL) string into the Search filter to search within the notable event details of notable events on Incident Review. As you type, the correlation search names appear for you to select. You can filter for notable events created by the same correlation search using the Correlation Search Name filter to type the name of the correlation search that created a notable event. Specific investigations, short IDs, or running attack templates that are associated with the notables. Time span during which notables are created, such as Last 24 hours, Last 30 days, and so on. You can also filter notables using specific correlation searches Options include: All Notables, Notables (that don't use risk based alerting), and Risk Notables Option to select all notables or specific notables based on risk events Status of the notable, such as, New, In-progress, Pending, Resolved, and Closedĭomain from which the notable is generated, such as, Access, Endpoint, Network, Threat, Identity, and Audit Importance of the notable event, such as, Medium, Low, High, Critical, Informational, and Unknown For more information on customizing notable event fields, see Change notable event fields.įilter notable events using the following fields that appear on the Incident Review page: You can also customize the fields or add additional fields to display your notable events. You can hide the filters feature used for grouping notable events by clicking Close Filters. Toggle Show Charts or Hide Charts to display visualizations for the notable events based on Urgency, Status, Owner, and Domain. Using filters helps you to drill down on specific and detailed information about the notable events and identify potential threats faster. You can further speed up the triage of your notable event through the investigation workflow by creating filters. Notables contain Urgency, Status, Security Domain, Owner, and Type filters to help you categorize, track, and assign events. You can sort notables on the Incident Review page to triage notables faster. ![]() You can triage notables by sorting notables, grouping notables using filters, or adding dispositions to the notables. Triaging notables helps to respond to security threats faster. You can also accelerate the triage of notables by using filters or tags and by adding dispositions.ĭrill down on specific notables or groups of notables that pose the highest threat to accelerate the triage of notables during an investigation. You can monitor notables, assign notables to specific owners, and prioritize actions that analysts take to resolve security events on the Incident review page. ![]() Triage notables on Incident Review in Splunk Enterprise Security
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |