Alarms at first glance, seem a bit limited but I may be missing something. Tried reading the docs and searching around in the community but haven't had luck today.
I can create them with severity (this is good), have them show in my "triggered alerts" but I cannot find workflow abilities… Choices like "annotate, assign, or close them (aside from delete)".
As an example a team would watch a board for an alert and would call-out to a response team. The team that is on-call or actioning should be able to remove the alerts from the other screen or assign them to individuals to work on (mark as in-progress).
I've done this in other SIEM's and hope it doesn't require webhooks to an external application, perhaps I can custom do this on a dashboard but would need a bit of guidance.
Thoughts? Thank you in advance. (First time posting)
There is no case-management capability in core splunk. This featureset exists in Splunk's premium app Enterprise Security and also in the free Alert Manager app in splunkbase. We are also working on our own premium app for this (as are others, I am sure).