Solved: Enterprise Security Suite Incident Review - How do...

vaudajordan · ‎06-16-2014

How do you control who is in the drop down list of owners, so you can assign a ticket to someone else? It seems to have picked a bunch of random people and not the two people I need in there.

LukeMurphey · ‎06-16-2014

Make sure that the users you want to assign notable events to have the "can_own_notable_events" capability. Once you add that, you should see them in the list of people you can assign notable events to in a few minutes.

View solution in original post

lmyrefelt · ‎06-17-2014

I belive your users need to be member of the "Security Analyst" (dont remmember the "correct" name) role

Read the docs, it is described in there how to setup / configure it correctly. 😉

LukeMurphey · ‎06-16-2014

Make sure that the users you want to assign notable events to have the "can_own_notable_events" capability. Once you add that, you should see them in the list of people you can assign notable events to in a few minutes.

aakwah · ‎09-30-2022

The problem with this solution is that all Admins have the capability "can_own_notable_events" and they appear in the list among SOC analysts.

The woraround I found is to disable "es_notable_events" in Lookup definitions page, and edit the kv-store lookup "notable_owners" by the app "Splunk App for Lookup File Editing".

The impact of this solution is that newly added SOC members need to be added manually to the "notable_owners" lookup.

Enterprise Security Suite Incident Review - How do you edit the owners list?

using Enterprise Security

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio