Is it expected : Workflow action visible under act...

ekta_dravid · ‎09-08-2017

I had a add-on created with prefix TA-XYZ(having Adaptive response action) and one app say "ABC", which has workflow action defined.
When I merged TA-XYZ code to ABC I am now seeing the workflow actions under actions for notable events in incident review page as well.
I don't want my workflow actions to be visible under incident review on enterprise security. Is there any way to disable them on incident review ?

Note - While merging I renamed ABC to TA-ABC as i was not able to see Adaptive response action created in the merged code and after renaming ABC to TA-ABC I was able to see my adaptive response action.

woodcock · ‎09-09-2017

This is kludgey but you can add a hidden field like _indextime to your workflow_action (you don't need to actually use it; just require it to be present) and then make sure that your incidents do not have this field (actually I am pretty sure that they will not).

ekta_dravid · ‎09-10-2017

One more point to add I updated the permission form Global" to "App only". But still the actions are visible under Enterprise Security.

woodcock · ‎09-11-2017

Try _bumping.

Is it expected : Workflow action visible under action for notable events on incident review on enterprise security

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases