Hello Omar,
Great! I'm glad to hear you are up and running. I can provide some information on your additional questions as well:
1. You can map anything you want, provided the token ($result.example_value$) returns a value and the desired field in Resilient exists. For example, it's common to map $result.src$ to an artifact. However, this is search-dependent. I suggest using the splunk search and reporting tool to dig into your searches to see what tokens are available to you for a given search.
2. This is not possible. As of now, the relationship between notable events and incidents is one-to-one.
3. As you note, this is related to number 2. It is possible to update an incident in Resilient, but the relationship is one-to-one. What that means is that if you are on a recent version of SA-Resilient (latest is 1.2.2), you can uncheck the "Allow Duplicate Incidents" during setup. If SA-Resilient is configured in this manner, any notable events escalated will search Resilient for an incident with a splunk_notable_event_id field equal to the targeted notable event. If that a match is found, that event will be updated. If there is no match or your settings are configured to allow duplicate incidents, a new incident will be created.
SA-Resilient docs:
https://github.com/ibmresilient/resilient-reference/tree/master/developer_guides/resilient-splunk-addonSplunk Searching a Reporting docs:
https://docs.splunk.com/Documentation/Splunk/8.1.2/Overview/Searchingandreporting------------------------------
Brian Reid
------------------------------
Original Message:
Sent: Mon March 15, 2021 04:45 AM
From: Omar Darweesh
Subject: Splunk ADD-ON [Event_ID field not mapped]
Hello Brian,
Thank you for your reply, the incidents now are created on IBM Resilient properly.
There are few questions I hope that I get answers for them:
- From the Splunk side, I create the Incidents on IBM Resilient Manually (Through Run Adaptive Response Actions). My question is that I want to map the additional fields in the notable event to artifacts in IBM Resilient (EX: Destination IP addresses in notable events to IP address in Incident artifacts), If this is applicable kindly advise. or if we can map them to whatever field in Resilient kindly advise. Kindly be noted I have tried this ($result.additional_field_label$) but no results appear.
- From the Splunk side, Can we create only one incident to multiple notable events. for example, we create an incident in IBM Resilient from (prohibited activity) notable event in Splunk,, and we receive another notable event with the same name (prohibited activity) in Splunk but with different details, can we update the incident with only the new details and not creating a new incident for each notable event.
- This question is related to the previous one .... > From the Resilient side, "for the updating notable event status rule",, can we update multiple notable events which are connected to only one Incident.
------------------------------
Omar Darweesh
Original Message:
Sent: Wed March 10, 2021 10:35 AM
From: Brian Reid
Subject: Splunk ADD-ON [Event_ID field not mapped]
Hello Omar,
Thank you for your question. First things first, please make sure you have all the proper configurations in place to map the Notable Event ID to a Resilient incident (you are using Splunk ES, the custom field is created in Resilient, etc). If your configuration is good, the next thing that you will want to check is the order that your Adaptive Response Actions happen if you are automatically generating alerts in Resilient (versus manually triggering the action on an existing notable). If the action to send to Resilient comes before the notable event is actually created in Splunk, there won't be an ID to include in the incident payload. Try swapping the order in which your Adaptive Response Actions occur.
For further reference, the documentation for SA-Resilient is located in the resilient-reference repository on Github. Have a look there to double check your configuration.
https://github.com/ibmresilient/resilient-reference/tree/master/developer_guides/resilient-splunk-addon
By the way, 1.2.2 (the latest version) is now available on Splunkbase!
https://splunkbase.splunk.com/app/3861/
------------------------------
Brian Reid
Original Message:
Sent: Mon March 08, 2021 10:34 PM
From: Omar Darweesh
Subject: Splunk ADD-ON [Event_ID field not mapped]
Hello all,
I have installed a Resilient add-on for Splunk version (1.2.0), and the automatic escalation for notable events from correlation search to Resilient Incidents works fine but the event ID not mapped to "Splunk Notable Event ID" custom filed in Resilient..any advice?
------------------------------
Omar Darweesh
------------------------------