Why does the Notable Incident Review Status dropdown have "No Matches"?

cjacklum — Fri, 19 Aug 2022 16:58:03 GMT

We are in SplunkCloud with ES 7.0.0

As a user with the sc_admin or ess_admin role when selecting an incident to edit, the drop-down for "Status" gives no matches. All other drop-downs give options as expected.

We've tried enable/disable all statuses, creating new statuses, adding/removing transitions roles for ALL statuses, granting permissions to edit_reviewstatus for additional roles, granting write permissions to kvstore reviewstatuses_lookup, and several other things.

Is there a key thing we are missing to be able to change status on incidents with the ess_admin user?

Re: Why does the Notable Incident Review Status dropdown have "No Matches"?

cjacklum — Tue, 06 Sep 2022 14:53:03 GMT

This turned out to be the sharing permissions on Enterprise Security App was set to "App".
The fix was to change this to "Global".

topic Why does the Notable Incident Review Status dropdown have "No Matches"? in Splunk Enterprise Security

Why does the Notable Incident Review Status dropdown have "No Matches"?

Re: Why does the Notable Incident Review Status dropdown have "No Matches"?