.conf25 registration is now open!Register today

 Using notable events in search

When a notable event is created, Splunk Enterprise Security indexes the event on disk and stores it in index=notable. Additional enrichment data is added to notable events at search time from various lookups and KV store collections.

To search for notable events, use the notable macro in your search rather than searching the notable index directly. The notable macro fills in default values and extracts the state of the event from the incident_review KV store collection. Some fields are consistent for all notable events, and each notable event returns different additional fields depending on the syntax of the correlation search. See Customize notable event settings in Splunk Enterprise Security.

Notable event field typeDescriptionExamples
Event fieldsFields that all events have when indexed._time host source sourcetype
Search-time-enriched fieldsFields added at search time by various correlation mechanisms.event_id xref_id risk_score
Stash event fieldsEach notable event is a stash event created by an adaptive response action. The notable event includes fields specific to this creation method.orig_action_name orig_sid orig_rid
Incident review activity fieldsFields related to the notable event on Incident Review. See Incident review activity fields.status owner
Correlation search fieldsFields related to the correlation search that returned the notable event.rule_name severity

 Notable event fields enriched at search time

Some fields for a notable event are indexed with the notable, but many are enriched at search time.

TypeFieldDescription
Unique identifierevent_idAssigned at search time by the notable macro. Uniquely identifies a notable event. Used to create and update the status and user assignment of a notable event.
External referencexref_nameExists only when an external reference for a notable event is created. Identifies the type of external reference.
External referencexref_idExists only when an external reference for a notable event is created. Identifies the notable event with a unique ID.
Asset correlationsrc_is_expected src_should_timesync dest_should_update dest_requires_avFields from the asset lookup, prepended by the asset field. See Configure asset and identity correlation in Splunk Enterprise Security.
Identity correlationuser_bunitFields from the identity lookup, prepended by the identity field. See Configure asset and identity correlation in Splunk Enterprise Security.
Risk correlationrisk_scoreCalculated risk score for the affected asset, identity, or other risk object type in the notable event.

 Notable event stash fields

These stash fields help you identify notable events, and are indexed with the notable event.

FieldDescription
orig_event_idIdentifies the contributing event for a notable event, when a notable event is created from one event. Not all notable events include an orig_event_id. For example, searches that generate notable events based on an aggregate set of events do not include an orig_event_id.
orig_sidIdentifies the correlation search that created the notable event, by search ID.
orig_ridIdentifies the result position of the notable event within the correlation search results that created the notable event, for correlation searches that generate notable events on a per-result basis.
orig_action_nameIdentifies the name of the adaptive response action that created the stash event. For notable events, this is always notable.
info_min_time info_max_timeDefine the time period of the correlation search that produced the notable event. Earliest time and latest time, respectively.

 Incident review activity fields

You can also search analyst activity on notable events on Incident Review. Search notable events that have been reviewed by an analyst with the incident_review macro.

A search for | incident_review shows incident review activity using following fields.

FieldDescription
_timeLocal time of the incident review event.
commentThe reviewer's comment on the notable event at the time of the incident review event.
ownerThe assigned owner of the notable event at the time of the incident review event. This is the account name. To convert to a full name, use the notable_owners macro.
reviewerThe user who performed the incident review event.
rule_idThe unique event identifier.
rule_nameThe correlation search that generated the notable event.
statusThe numeric status code of the notable event at the time of the incident review event.
status_defaultWhether the notable event is in its default status at the time of the incident review event. Boolean.
status_descriptionThe long form description of the notable event status at the time of the incident review event.
status_endWhether the notable event is in an end status at the time of the incident review event. Boolean.
status_groupStatus group of the event. Open, New, or Closed.
status_labelThe short form description of the notable event status at the time of the incident review event.
timeGMT time of the incident review event.
urgencyThe urgency of the notable event at the time of the incident review event.

You can use these fields in the search pipeline to evaluate and report on notable event incident review activity.

 Useful Notable Event macros

You can search notable events using the macros included with Splunk Enterprise Security.

MacroUsage details
notableReturn the notable events in the notable index.
incident_reviewReturn incident review activity for the notable events.
notable_by_id(id)Retrieve the notable event associated with an event_id.
notable_xrefsRetrieve the list of notable external reference ID numbers in your environment. Use the macro in search with a leading
notable_xrefs_by_event_id(id)Retrieve the notable event external references associated with an event_id.
notable_ownersLooks up the name of a person who owns a notable event using the owner field.