Issue
I was recently asked by a client if Swimlane could manage “Notable Events” in Splunk’s Enterprise Security App, and if Swimlane could update the incident after being enriched, triaged, and analyzed (to include Case Management [Owner | Status | Urgency] and the Analyst’s comments). Below is a quick summary of the steps required
Solution
-
On your Splunk/ES instance, download and install the Swimlane App for Splunk
-
Configure the TA-Swimlane App:
-
Modify your Splunk Alert Action to create a “Notable Event” or create a new “Correlation Search” in ES (Configure->Content Management). If you want every new 'Notable Event" to be submitted to the Swimlane API, simply add
notablein the search pattern.
-
For Adaptive Response Action, select Swimlane, and add the Swimlane Application ID that you want the record to be created in:
-
If you’re using Splunk’s Common Information Model (CIM), and your fields are already created in the Swimlane App, select “Auto Map”
-
If you use customized field names in your Swimlane App; select “Custom Map”: {“splunk_src_ip_field”: “Swimlane Field 1”, “splunk_dst_ip_field”: “Swimlane Field 2”} etc.
-
If a new Notable Event comes in, it will automatically create a new record in Swimlane.
-
In order to update the Splunk Incident from within Swimlane, create a new Swimlane [Python Integration] with below example code to match your environment, and select your pre-defined destination fields for the record:
import requests url = 'https://splunk.server:8089/services/notable_update' event_id = sw_context.inputs['splunk_es_event_id'] urgency = sw_context.inputs['case_severity'] status_label = sw_context.inputs['case_status'] owner = sw_context.inputs['case_owner'] comment = sw_context.inputs['splunk_es_comment'] if status_label == 'NEW': status = '1' if status_label == 'IN PROGRESS': status = '2' if status_label == 'PENDING': status = '3' if status_label == 'RESOLVED': status = '4' if status_label == 'CLOSED': status = '5' data ={ 'ruleUIDs': [event_id], 'urgency': [urgency.lower()], 'status': [status], 'newOwner': [owner], 'comment': [comment] } splunk_es = requests.post(url, data=data, verify=False, auth=('api_user_name', 'api_user_password')) response = json.loads(splunk_es.text) sw_outputs = [response] -
As you execute the “Update Splunk Notable Event” [Python Integration] in Swimlane (either through manual trigger or automatically using the workflow), the case status/owner/urgency and comments can be vieweved in Splunk ES - Incident Review:
