Create a profile
You can set up a profile for manual forwarded events.
Before you begin
Role required: sn_si.ingestion_profile_admin
Procedure
For events that you forward on-demand from your Splunk Enterprise Security console, you can base the individual field mapping on any existing profile. Alternatively, you can create a new mapping grid for exported attachment data. Events that you forward manually are not scheduled in the event profile.
- If not already selected, in the choice list for the Type field, select Manual Event Forwarding.
-
In the Mapping Option field that is displayed, from the choice list,
choose one mapping option to continue.
Table 1. Create New field mapping option Option or field Description Create new field mapping option New field mapping for your event. If you do not have an existing field mapping that is similar to the profile that you are creating, select this option to create a new map.
Default profile Default event forwarding profile for all Splunk events. Default is cleared (deactivated).
When this option is enabled, this profile becomes the default profile for manual event forwarding. This profile is used when there is no match on source from the manually forwarded event. It becomes the default profile for all events with unknown sources.
The Source field is unavailable if the default profile option is enabled.
Source (Notable Event field) This is a field that typically defines the correlation rule that triggered the notable, for example, Brute Force Attacks. This field is unavailable if the default profile option is enabled.
If available, this field permits unique event field mapping to security incident fields based on the splunk correlation rule that is typically different for different event types.
If you want to manage different correlation rules separately, you can create different profile event profiles based on correlation rule to accomplish this requirement.
Automate Notable Event Updates Select this check box if you want to update the notable event status and add additional comments when a SIR incident is created from the notable event and / or when the SIR incident is closed. This will occur for both the initial triggering notable events that creates the SIR incident, as well as aggregated events. Source (Splunk Server)
The Splunk server that you configured as the source for notable events. If you have multiple Splunk servers configured, select the appropriate server for the notable event types that will be updated for the profile. You are required to enter a value.
Order Default is 100. Leave this setting at the default. If you have created a large number of profiles, this value provides a run time execution priority when two or more profiles share triggering conditions. The workflow in the profile with the lowest number has the highest priority.
(Optional) Description Text to help you distinguish this profile from other profiles. For a profile with a new field mapping, verify that you have entered a value in the Source type field and select Continue to proceed to the mapping step of the configuration.
Table 2. Select existing profile for field mapping option Option or field Description Select existing profile for field mapping Reuse an existing field mapping for your new notable event profile. The Copy from profile field is displayed. Follow these steps to copy an existing field mapping for this profile.
- To the left of the Copy from profile field that is displayed, select the search icon.
- In the Splunk ES Event Profiles list that is displayed, select the profile name that has the map that you want to copy.
The profile name is displayed in the Copy from profile field.
Default profile Default event forwarding profile for all Splunk notable events with unmatched source. Default is cleared (disabled).
When this option is enabled, this profile becomes the default profile for manual event forwarding.
The Source field is unavailable if the default profile option is enabled.
Source (Notable Event field) This is a field that typically defines the correlation rule that triggered the notable, for example, Brute Force Attacks. This field is unavailable if the default profile option is enabled.
If available, this field permits unique event field mapping to security incident fields based on the splunk correlation rule that is typically different for different event types.
If you want to manage different correlation rules separately, you can create different profile event profiles based on correlation rule to accomplish this requirement.
Automate Notable Events Select this check box if you want to update the notable event status and add additional comments when a security incident is created from the notable event or when the security incident is closed. This occurs for both the initial triggering notable events that creates the security incident, as well as aggregated events. Source (Splunk Server)
Splunk server or search end that you configured as the source for notable events. If you have multiple Splunk servers configured, select the appropriate server for the notable event types that will be updated for the profile. You're required to enter a value.
Order Default is 100. Leave this setting at the default. If you have created multiple profiles, this value provides a run time execution priority when two or more profiles share triggering conditions. The workflow in the profile with the lowest number has the highest priority.
(Optional) Description Text to help you distinguish this profile from other profiles. At the bottom of the form for selecting an existing mapping for your profile, select Finish to complete the profile configuration.