Adds workflow actions so that an analyst either looking at the incident review dashboard, manually searching index=notable, or manually searching index=threat_activity can use the event actions to find the underlying threat events. (See screenshots)
These events contain all the components you need to get to the raw events, including:
- Timeframe (info_min_time and info_max_time)
- Sourcetype (e.g., websense, bluecoat, or what have you)
- Triggering fields (e.g., dest, file_name, etc.)
- Scoping fields (e.g., src, host, etc.)
There are then embedded in tokens in the search so that you will get any of the raw events.
If you're a detail-oriented Splunker, you might notice that there are a few field extractions -- in the event of searching from index=notable or the incident review dashboard, we are looking at a twice-summaried event. The first is from raw event to index=threat_activity, and the second is from index=threat_activity to index=notable. These extractions allow us to make sure that we are gathering the correct field extractions to pull out our data.
Currently, just src/dest based hits and filename based hits are supported. Adding any extras are really easy, I just don't have examples to make sure they work. Send me an example index=notable and/or index=threat_activity (preferably both) and I'll be happy to add support. Or add it yourself (it's not hard) by modifying the search and then send me the working version so that I can integrate it.
Easy -- just install the app on your search head -- no other work required.
It has been tested on 4.0.x, but it should also work on 6.3.x
Only in a 6.3 demo system, at present. That said, if it fails it should fail in a way that is totally non-impactful.
Fixed a few bugs with drilling down from notable events (prior work was from the threat activity events).
Initial Release
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.