topic Re: Enterprise Security Suite Incident Review - How Do You Edit the Owners List? in Splunk Enterprise Security

Enterprise Security Suite Incident Review - How do you edit the owners list?

vaudajordan — Fri, 30 Sep 2022 14:35:34 GMT

How do you control who is in the drop down list of owners, so you can assign a ticket to someone else? It seems to have picked a bunch of random people and not the two people I need in there.

Re: Enterprise Security Suite Incident Review - How Do You Edit the Owners List?

LukeMurphey — Mon, 28 Sep 2020 16:52:09 GMT

Make sure that the users you want to assign notable events to have the "can_own_notable_events" capability. Once you add that, you should see them in the list of people you can assign notable events to in a few minutes.

Re: Enterprise Security Suite Incident Review - How Do You Edit the Owners List?

lmyrefelt — Tue, 17 Jun 2014 11:02:29 GMT

I belive your users need to be member of the "Security Analyst" (dont remmember the "correct" name) role

Read the docs, it is described in there how to setup / configure it correctly. 😉

Re: Enterprise Security Suite Incident Review - How Do You Edit the Owners List?

aakwah — Fri, 30 Sep 2022 12:32:22 GMT

The problem with this solution is that all Admins have the capability "can_own_notable_events" and they appear in the list among SOC analysts.

The woraround I found is to disable "es_notable_events" in Lookup definitions page, and edit the kv-store lookup "notable_owners" by the app "Splunk App for Lookup File Editing".

The impact of this solution is that newly added SOC members need to be added manually to the "notable_owners" lookup.