Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to auto-assign notables in Enterprise Security?

PebbleHG
Engager
‎07-10-2019 03:31 AM

I have a team that wants specific notables to be automatically assigned to specific team members. Is this even possible with ES?

The way the team works, is that specific members are assigned notables based off severity and tags. so something with severity=critical and tag=PAM* would be assigned to user1, and something with severity=high|critical and tag= would be assigned to user2. Right now, there's rotational duties to look at IR and assign notables, and a strong desire to automate this review process.

0 Karma
Reply

FrankVl
Ultra Champion
‎07-10-2019 03:55 AM

Yes, you can. You can either set a "Default Owner" for the notable event (see the respective correlation search configuration) or you can schedule a saved search that manipulates the incident_review_lookup where the notable status is tracked by ES.

Alternatively you could look at creating clones of the Incident Review page, with certain preset urgency and tag filters, so users with a certain scope have their own 'personalized' view on the Incident Review page.

0 Karma
Reply

NightShark
Path Finder
‎03-18-2022 12:54 AM

Manipulating incident_review_lookup is actually not possbile, as any changes done to the lookup itself gets overriden by Splunk and any changes made manually via a saved search for example are lost. Confirmed this case with Splunk support and have had a response that the assignment of notable events is not a feature that is possible currently with Splunk

Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...