Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it expected : Workflow action visible under action for notable events on incident review on enterprise security

ekta_dravid
New Member
‎09-08-2017 02:12 AM
  1. I had a add-on created with prefix TA-XYZ(having Adaptive response action) and one app say "ABC", which has workflow action defined.
  2. When I merged TA-XYZ code to ABC I am now seeing the workflow actions under actions for notable events in incident review page as well.
  3. I don't want my workflow actions to be visible under incident review on enterprise security. Is there any way to disable them on incident review ?

Note - While merging I renamed ABC to TA-ABC as i was not able to see Adaptive response action created in the merged code and after renaming ABC to TA-ABC I was able to see my adaptive response action.

0 Karma
Reply

woodcock
Esteemed Legend
‎09-09-2017 01:04 PM

This is kludgey but you can add a hidden field like _indextime to your workflow_action (you don't need to actually use it; just require it to be present) and then make sure that your incidents do not have this field (actually I am pretty sure that they will not).

0 Karma
Reply

ekta_dravid
New Member
‎09-10-2017 10:45 PM

One more point to add I updated the permission form Global" to "App only". But still the actions are visible under Enterprise Security.

0 Karma
Reply

woodcock
Esteemed Legend
‎09-11-2017 05:29 PM

Try _bumping.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...