Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to make it mandatory to assign Dispositions to Notable Events in ES?

ezmo1982
Path Finder
‎06-24-2022 04:06 AM

Hi,

Notable events in ES can now be assigned Dispositions. I am able to create new Dispositions from the Incident Review page and enable/disable them. From the reviewsettings.conf file i can also set a default one, set it to Hidden etc.

However I am looking see if there is a way for Dispositions are required to be set when anyone edits a notable event from the Incident Review tab. I want to have "Unassigned" as the default one. But then require any of the others to be assigned when a notable is edited. Kind of similar to the way Comments can be set to Required. Basically i need them to be mandatory.

Anyone know of a way to do this?

Labels (2)
Reply

meetmshah
Builder
‎03-27-2024 01:08 AM

Hello @ezmo1982,

Yes, the exact feature was released in ES 7.2.0 - https://docs.splunk.com/Documentation/ES/7.2.0/RN/Enhancements as a part of https://ideas.splunk.com/ideas/ESSID-I-189

 

meetmshah_0-1711526829240.png

 

Please accept the solution and hit Karma, if this helps!

Reply

meetmshah
Builder
‎03-29-2024 11:35 PM

Hello @ezmo1982 , Just checking through if the issue was resolved or you have any further questions?

0 Karma
Reply

splunkbunk
Explorer
‎05-02-2023 08:18 AM

Ever find out if there's a way to do this?

0 Karma
Reply

splunketor
New Member
‎03-13-2024 08:39 AM

Hi,

I don't think it exists, I've inserted this question which also interests me as an idea for a proposal for future developments. You could add a vote to my idea https://ideas.splunk.com/ideas/ESSID-I-392 so that it is more visible and taken into consideration.

A thousand thanks

0 Karma
Reply

jopbakker94
Observer
‎03-21-2024 01:53 AM

Hi,

 

Not sure if this is what wou want, but is this not already an option in the Incident Review Settings page? When I enable this I am required to set a disposition other than the default of "undetermined".

** This is in Splunk ES 7.3.0 and it should have been added in ES 7.2

jopbakker94_0-1711010884989.png

jopbakker94_1-1711010939073.png

 

 

0 Karma
Reply

splunketor
New Member
‎03-21-2024 02:18 AM

Hi,

Thanks so much for the comment. I'm working on ES 7.2 this thing seems to still be missing. I will update the ES app soon so I will have this functionality back.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

  March 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...
Top