- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to auto-assign notables in Enterprise Security?
I have a team that wants specific notables to be automatically assigned to specific team members. Is this even possible with ES?
The way the team works, is that specific members are assigned notables based off severity and tags. so something with severity=critical and tag=PAM* would be assigned to user1, and something with severity=high|critical and tag= would be assigned to user2. Right now, there's rotational duties to look at IR and assign notables, and a strong desire to automate this review process.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you can. You can either set a "Default Owner" for the notable event (see the respective correlation search configuration) or you can schedule a saved search that manipulates the incident_review_lookup where the notable status is tracked by ES.
Alternatively you could look at creating clones of the Incident Review page, with certain preset urgency and tag filters, so users with a certain scope have their own 'personalized' view on the Incident Review page.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Manipulating incident_review_lookup is actually not possbile, as any changes done to the lookup itself gets overriden by Splunk and any changes made manually via a saved search for example are lost. Confirmed this case with Splunk support and have had a response that the assignment of notable events is not a feature that is possible currently with Splunk
