Using notable events in search
When a notable event is created, Splunk Enterprise Security indexes the event on disk and stores it in index=notable. Additional enrichment data is added to notable events at search time from various lookups and KV store collections.
To search for notable events, use the notable macro in your search rather than searching the notable index directly. The notable macro fills in default values and extracts the state of the event from the incident_review KV store collection. Some fields are consistent for all notable events, and each notable event returns different additional fields depending on the syntax of the correlation search. See Customize notable event settings in Splunk Enterprise Security.
| Notable event field type | Description | Examples |
|---|---|---|
| Event fields | Fields that all events have when indexed. | _time host source sourcetype |
| Search-time-enriched fields | Fields added at search time by various correlation mechanisms. | event_id xref_id risk_score |
| Stash event fields | Each notable event is a stash event created by an adaptive response action. The notable event includes fields specific to this creation method. | orig_action_name orig_sid orig_rid |
| Incident review activity fields | Fields related to the notable event on Incident Review. See Incident review activity fields. | status owner |
| Correlation search fields | Fields related to the correlation search that returned the notable event. | rule_name severity |
Notable event fields enriched at search time
Some fields for a notable event are indexed with the notable, but many are enriched at search time.
| Type | Field | Description |
|---|---|---|
| Unique identifier | event_id | Assigned at search time by the notable macro. Uniquely identifies a notable event. Used to create and update the status and user assignment of a notable event. |
| External reference | xref_name | Exists only when an external reference for a notable event is created. Identifies the type of external reference. |
| External reference | xref_id | Exists only when an external reference for a notable event is created. Identifies the notable event with a unique ID. |
| Asset correlation | src_is_expected src_should_timesync dest_should_update dest_requires_av | Fields from the asset lookup, prepended by the asset field. See Configure asset and identity correlation in Splunk Enterprise Security. |
| Identity correlation | user_bunit | Fields from the identity lookup, prepended by the identity field. See Configure asset and identity correlation in Splunk Enterprise Security. |
| Risk correlation | risk_score | Calculated risk score for the affected asset, identity, or other risk object type in the notable event. |
Notable event stash fields
These stash fields help you identify notable events, and are indexed with the notable event.
| Field | Description |
|---|---|
orig_event_id | Identifies the contributing event for a notable event, when a notable event is created from one event. Not all notable events include an orig_event_id. For example, searches that generate notable events based on an aggregate set of events do not include an orig_event_id. |
orig_sid | Identifies the correlation search that created the notable event, by search ID. |
orig_rid | Identifies the result position of the notable event within the correlation search results that created the notable event, for correlation searches that generate notable events on a per-result basis. |
orig_action_name | Identifies the name of the adaptive response action that created the stash event. For notable events, this is always notable. |
info_min_time info_max_time | Define the time period of the correlation search that produced the notable event. Earliest time and latest time, respectively. |
Incident review activity fields
You can also search analyst activity on notable events on Incident Review. Search notable events that have been reviewed by an analyst with the incident_review macro.
A search for | incident_review shows incident review activity using following fields.
| Field | Description |
|---|---|
_time | Local time of the incident review event. |
comment | The reviewer's comment on the notable event at the time of the incident review event. |
owner | The assigned owner of the notable event at the time of the incident review event. This is the account name. To convert to a full name, use the notable_owners macro. |
reviewer | The user who performed the incident review event. |
rule_id | The unique event identifier. |
rule_name | The correlation search that generated the notable event. |
status | The numeric status code of the notable event at the time of the incident review event. |
status_default | Whether the notable event is in its default status at the time of the incident review event. Boolean. |
status_description | The long form description of the notable event status at the time of the incident review event. |
status_end | Whether the notable event is in an end status at the time of the incident review event. Boolean. |
status_group | Status group of the event. Open, New, or Closed. |
status_label | The short form description of the notable event status at the time of the incident review event. |
time | GMT time of the incident review event. |
urgency | The urgency of the notable event at the time of the incident review event. |
You can use these fields in the search pipeline to evaluate and report on notable event incident review activity.
Useful Notable Event macros
You can search notable events using the macros included with Splunk Enterprise Security.
| Macro | Usage details |
|---|---|
notable | Return the notable events in the notable index. |
incident_review | Return incident review activity for the notable events. |
notable_by_id(id) | Retrieve the notable event associated with an event_id. |
notable_xrefs | Retrieve the list of notable external reference ID numbers in your environment. Use the macro in search with a leading |
notable_xrefs_by_event_id(id) | Retrieve the notable event external references associated with an event_id. |
notable_owners | Looks up the name of a person who owns a notable event using the owner field. |