Hello, we would like to filter ES incident review and hide notables with TEST keyword by example, how to do? Thanks for your help
Alright, if the "TEST" keyword is in the search title, you can filter it as shown below.
search_name!=*TEST*
------
Hello @jawahir007 how are you? Found out we can filter by search_title also, where can we find list of IR fields? Thanks for your help!
You can achieve this by creating Custom Notable Event Suppressions. Please refer to the link below for more details.
------
Hi @jawahir007 we don't want to suppress them just hide them based on saved filter.
Alright, if the "TEST" keyword is in the search title, you can filter it as shown below.
search_name!=*TEST*
------
Great thanks, it works with classic IR view 🙂
I've done this little app in order to adress this specific use case :
https://github.com/kilanmundera/Custom-Annotations-Framework-for-Splunk-Enterprise-Security