Splunk Enterprise Security

Edit Action Dropdown on a notable event

Denorsmith
Engager

I am trying to add a dashboard to the action dropdown when you are in incident review under specific notables. How do I do this? I cannot seem to find ANY document on how to do it and would appreciate a link to it or an explanation of how...

0 Karma

ro_mc
Path Finder

BePe is correct. In the main menu bar, click Settings -> Fields -> Workflow actions -> search on keyword "Investigator". You can also search from "All Configurations" if desired.

You will see a number of workflow actions from the DA-ESS-IdentityManagement app, such as identity_investigator_user. Click this link to see the options required to link to the desired dashboard.

Use this as a template to create a New Workflow action in the app of your choosing, ensuring that the workflow action is shared globally to be accessible from within Enterprise Security.

Label: <your choice>
Apply only to the following fields: <your choice>
Apply only to the following event types: <your choice>

Show action in: Fields menus
Action type: link
URI: /app/$@namespace$/dashboard_name?form.target_field=$@field_value$
Open link in: New window
Link method: get

This will create the appropriate stanza entries in the workflow_actions.conf for the container app.

0 Karma

BePe
Engager

Check the "workflow_actions.conf" files in the different apps and SAs for samples. 

 

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...