Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

In Splunk Enterprise Security, how do I add a New field in an "Edit notable event" popup form?

mas
Path Finder
‎10-08-2018 04:19 AM

Hi,

One of my customers asked to add a field to the "Edit notable event" popup form in Splunk ES 5.1.1. To be more precise, customer wants an "Incident category" field, that must be populated by Security Analyst, picking up a choice from a restricted set of values (something very similar to "Status" field).

I know that I can add a "table attribute" using incident review customization page, but:
- incident category is not associated to a field in originating event (it is classified by Security Analyst);
- incident category values must be selected using a drop-down, from a restricted set of values.

Do you have any suggestions?

Thank you!

Reply

gworkun
Explorer
‎12-10-2018 05:44 PM

Would love to see if this ever gets added or is a way to add editable fields to notables.

0 Karma
Reply

alekwisnia
Explorer
‎07-22-2020 02:22 AM

+1 if anyone finds a solution. This is a must-have feature of SIEM - if anyone wants to report accordingly to NIST or ENISA standards of incident classification.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...