Splunk Enterprise Security

Is it possible to make it mandatory to assign Dispositions to Notable Events in ES?

ezmo1982
Path Finder

Hi,

Notable events in ES can now be assigned Dispositions. I am able to create new Dispositions from the Incident Review page and enable/disable them. From the reviewsettings.conf file i can also set a default one, set it to Hidden etc.

However I am looking see if there is a way for Dispositions are required to be set when anyone edits a notable event from the Incident Review tab. I want to have "Unassigned" as the default one. But then require any of the others to be assigned when a notable is edited. Kind of similar to the way Comments can be set to Required. Basically i need them to be mandatory.

Anyone know of a way to do this?

Labels (2)

meetmshah
Builder

Hello @ezmo1982,

Yes, the exact feature was released in ES 7.2.0 - https://docs.splunk.com/Documentation/ES/7.2.0/RN/Enhancements as a part of https://ideas.splunk.com/ideas/ESSID-I-189

 

meetmshah_0-1711526829240.png

 

Please accept the solution and hit Karma, if this helps!

0 Karma

meetmshah
Builder

Hello @ezmo1982 , Just checking through if the issue was resolved or you have any further questions?

0 Karma

splunkbunk
Explorer

Ever find out if there's a way to do this?

0 Karma

splunketor
New Member

Hi,

I don't think it exists, I've inserted this question which also interests me as an idea for a proposal for future developments. You could add a vote to my idea https://ideas.splunk.com/ideas/ESSID-I-392 so that it is more visible and taken into consideration.

A thousand thanks

0 Karma

jopbakker94
Observer

Hi,

 

Not sure if this is what wou want, but is this not already an option in the Incident Review Settings page? When I enable this I am required to set a disposition other than the default of "undetermined".

** This is in Splunk ES 7.3.0 and it should have been added in ES 7.2

jopbakker94_0-1711010884989.png

jopbakker94_1-1711010939073.png

 

 

0 Karma

splunketor
New Member

Hi,

Thanks so much for the comment. I'm working on ES 7.2 this thing seems to still be missing. I will update the ES app soon so I will have this functionality back.

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...