Notable Event framework in Splunk ES

The Notable Event framework provides a way to identify noteworthy incidents from events and then manage the ownership, triage process, and state of those incidents.

This framework is one of five frameworks in Splunk Enterprise Security with which you can integrate. See Building Integrations for Splunk Enterprise Security for an introduction to the frameworks.

The diagram presents an overview of the Notable Event framework, with the possible integration points highlighted.

This diagram shows how admins, analysts, and developers can interact with the Notable Event framework. Security admins create or configure correlation searches that trigger the Notable Event response action. The Notable Event response action creates events in the notable index. The incident review KV Store collection stores the state and ownership of the notable event. Notable events display to analysts on the Incident Review dashboard. When the security analyst investigates the notable event and changes the review status to track progress. Developers can integrate with the Notable Event framework in three ways: 1. Supply new correlation searches that trigger the Notable Event response action. 2. Programmatically edit notable events using the REST API. 3. Programmatically add custom review status options using the /services/alerts/reviewstatuses endpoint of the REST API.

Creating notable events manually

Most notable events are triggered by correlation searches, but you can also create notable events manually. There are two ways to create notable events manually:

  • Create a notable event using the search language by including | sendalert notable in your search string. For example, | makeresults | eval dest="somedest" | sendalert notable
  • Create a notable event using the Splunk Enterprise Security UI. See Manually create a notable event in Splunk Enterprise Security.

Searching for notable events

All notable events are stored in the notable index. Events in the notable index are stateless. They contain only the notable event itself and not information about its review status, which is tracked in the incident_review KV store collection. For best practices for searching the notable index, see Notable index.

Integrate with the Notable Event framework

There are three ways to integrate with the notable event framework.

  • Create one or more custom correlation searches to generate notable events.
  • Use the REST API to edit notable events based on external triggers. For more information, see Notable Event API reference.
  • Use the REST API to set custom review statuses and manage status transitions. See the reviewstatuses.conf.spec in SA-ThreatIntelligence for more information.