topic Re: Is it expected : Workflow action visible under action for notable events on incident review on enterprise security in Splunk Dev

Is it expected : Workflow action visible under action for notable events on incident review on enterprise security

ekta_dravid — Fri, 08 Sep 2017 09:12:24 GMT

I had a add-on created with prefix TA-XYZ(having Adaptive response action) and one app say "ABC", which has workflow action defined.
When I merged TA-XYZ code to ABC I am now seeing the workflow actions under actions for notable events in incident review page as well.
I don't want my workflow actions to be visible under incident review on enterprise security. Is there any way to disable them on incident review ?

Note - While merging I renamed ABC to TA-ABC as i was not able to see Adaptive response action created in the merged code and after renaming ABC to TA-ABC I was able to see my adaptive response action.

Re: Is it expected : Workflow action visible under action for notable events on incident review on enterprise security

woodcock — Sat, 09 Sep 2017 20:04:03 GMT

This is kludgey but you can add a hidden field like _indextime to your workflow_action (you don't need to actually use it; just require it to be present) and then make sure that your incidents do not have this field (actually I am pretty sure that they will not).

Re: Is it expected : Workflow action visible under action for notable events on incident review on enterprise security

ekta_dravid — Mon, 11 Sep 2017 05:45:59 GMT

One more point to add I updated the permission form Global" to "App only". But still the actions are visible under Enterprise Security.

Re: Is it expected : Workflow action visible under action for notable events on incident review on enterprise security

woodcock — Tue, 12 Sep 2017 00:29:35 GMT

Try _bumping.