Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to make it mandatory to assign Dispositions to Notable Events in ES?

ezmo1982
Path Finder
‎06-24-2022 04:06 AM

Hi,

Notable events in ES can now be assigned Dispositions. I am able to create new Dispositions from the Incident Review page and enable/disable them. From the reviewsettings.conf file i can also set a default one, set it to Hidden etc.

However I am looking see if there is a way for Dispositions are required to be set when anyone edits a notable event from the Incident Review tab. I want to have "Unassigned" as the default one. But then require any of the others to be assigned when a notable is edited. Kind of similar to the way Comments can be set to Required. Basically i need them to be mandatory.

Anyone know of a way to do this?

Labels (2)
Reply

meetmshah
SplunkTrust
SplunkTrust
‎03-27-2024 01:08 AM

Hello @ezmo1982,

Yes, the exact feature was released in ES 7.2.0 - https://docs.splunk.com/Documentation/ES/7.2.0/RN/Enhancements as a part of https://ideas.splunk.com/ideas/ESSID-I-189

 

meetmshah_0-1711526829240.png

 

Please accept the solution and hit Karma, if this helps!

Reply

meetmshah
SplunkTrust
SplunkTrust
‎03-29-2024 11:35 PM

Hello @ezmo1982 , Just checking through if the issue was resolved or you have any further questions?

0 Karma
Reply

splunkbunk
Explorer
‎05-02-2023 08:18 AM

Ever find out if there's a way to do this?

0 Karma
Reply

splunketor
New Member
‎03-13-2024 08:39 AM

Hi,

I don't think it exists, I've inserted this question which also interests me as an idea for a proposal for future developments. You could add a vote to my idea https://ideas.splunk.com/ideas/ESSID-I-392 so that it is more visible and taken into consideration.

A thousand thanks

0 Karma
Reply

jopbakker94
Observer
‎03-21-2024 01:53 AM

Hi,

 

Not sure if this is what wou want, but is this not already an option in the Incident Review Settings page? When I enable this I am required to set a disposition other than the default of "undetermined".

** This is in Splunk ES 7.3.0 and it should have been added in ES 7.2

jopbakker94_0-1711010884989.png

jopbakker94_1-1711010939073.png

 

 

0 Karma
Reply

splunketor
New Member
‎03-21-2024 02:18 AM

Hi,

Thanks so much for the comment. I'm working on ES 7.2 this thing seems to still be missing. I will update the ES app soon so I will have this functionality back.

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...