Using notable events in search

When a notable event is created, Splunk Enterprise Security indexes the event on disk and stores it in index=notable. Additional enrichment data is added to notable events at search time from various lookups and KV store collections.

To search for notable events, use the `notable` macro in your search rather than searching the notable index directly. The `notable` macro fills in default values and extracts the state of the event from the incident_review KV store collection. Some fields are consistent for all notable events, and each notable event returns different additional fields depending on the syntax of the correlation search. See Customize notable event settings in Splunk Enterprise Security.

Notable event field type Description Examples
Event fields Fields that all events have when indexed. _time
host
source
sourcetype
Search-time-enriched fields Fields added at search time by various correlation mechanisms. event_id
xref_id
risk_score
Stash event fields Each notable event is a stash event created by an adaptive response action. The notable event includes fields specific to this creation method. orig_action_name
orig_sid
orig_rid
Incident review activity fields Fields related to the notable event on Incident Review. See Incident review activity fields. status
owner
Correlation search fields Fields related to the correlation search that returned the notable event. rule_name
severity

Notable event fields enriched at search time

Some fields for a notable event are indexed with the notable, but many are enriched at search time.

Type Field Description
Unique identifier event_id Assigned at search time by the `notable` macro. Uniquely identifies a notable event. Used to create and update the status and user assignment of a notable event.
External reference xref_name Exists only when an external reference for a notable event is created. Identifies the type of external reference.
External reference xref_id Exists only when an external reference for a notable event is created. Identifies the notable event with a unique ID.
Asset correlation src_is_expected
src_should_timesync
dest_should_update
dest_requires_av
Fields from the asset lookup, prepended by the asset field. See Configure asset and identity correlation in Splunk Enterprise Security.
Identity correlation user_bunit Fields from the identity lookup, prepended by the identity field. See Configure asset and identity correlation in Splunk Enterprise Security.
Risk correlation risk_score Calculated risk score for the affected asset, identity, or other risk object type in the notable event.

Notable event stash fields

These stash fields help you identify notable events, and are indexed with the notable event.

Field Description
orig_event_id Identifies the contributing event for a notable event, when a notable event is created from one event. Not all notable events include an orig_event_id. For example, searches that generate notable events based on an aggregate set of events do not include an orig_event_id.
orig_sid Identifies the correlation search that created the notable event, by search ID.
orig_rid Identifies the result position of the notable event within the correlation search results that created the notable event, for correlation searches that generate notable events on a per-result basis.
orig_action_name Identifies the name of the adaptive response action that created the stash event. For notable events, this is always notable.
info_min_time
info_max_time
Define the time period of the correlation search that produced the notable event. Earliest time and latest time, respectively.

Incident review activity fields

You can also search analyst activity on notable events on Incident Review. Search notable events that have been reviewed by an analyst with the `incident_review` macro.

A search for | `incident_review` shows incident review activity using following fields.

Field Description
_time Local time of the incident review event.
comment The reviewer's comment on the notable event at the time of the incident review event.
owner The assigned owner of the notable event at the time of the incident review event. This is the account name. To convert to a full name, use the `notable_owners` macro.
reviewer The user who performed the incident review event.
rule_id The unique event identifier.
rule_name The correlation search that generated the notable event.
status The numeric status code of the notable event at the time of the incident review event.
status_default Whether the notable event is in its default status at the time of the incident review event. Boolean.
status_description The long form description of the notable event status at the time of the incident review event.
status_end Whether the notable event is in an end status at the time of the incident review event. Boolean.
status_group Status group of the event. Open, New, or Closed.
status_label The short form description of the notable event status at the time of the incident review event.
time GMT time of the incident review event.
urgency The urgency of the notable event at the time of the incident review event.

You can use these fields in the search pipeline to evaluate and report on notable event incident review activity.

Useful Notable Event macros

You can search notable events using the macros included with Splunk Enterprise Security.

Macro Usage details
`notable` Return the notable events in the notable index.
`incident_review` Return incident review activity for the notable events.
`notable_by_id(id)` Retrieve the notable event associated with an event_id.
`notable_xrefs` Retrieve the list of notable external reference ID numbers in your environment. Use the macro in search with a leading |
`notable_xrefs_by_event_id(id)` Retrieve the notable event external references associated with an event_id.
`notable_owners` Looks up the name of a person who owns a notable event using the owner field.