Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to make it mandatory to assign Dispositions to Notable Events in ES?

ezmo1982
Path Finder
‎06-24-2022 04:06 AM

Hi,

Notable events in ES can now be assigned Dispositions. I am able to create new Dispositions from the Incident Review page and enable/disable them. From the reviewsettings.conf file i can also set a default one, set it to Hidden etc.

However I am looking see if there is a way for Dispositions are required to be set when anyone edits a notable event from the Incident Review tab. I want to have "Unassigned" as the default one. But then require any of the others to be assigned when a notable is edited. Kind of similar to the way Comments can be set to Required. Basically i need them to be mandatory.

Anyone know of a way to do this?

Labels (2)
Reply

meetmshah
Builder
‎03-27-2024 01:08 AM

Hello @ezmo1982,

Yes, the exact feature was released in ES 7.2.0 - https://docs.splunk.com/Documentation/ES/7.2.0/RN/Enhancements as a part of https://ideas.splunk.com/ideas/ESSID-I-189

 

meetmshah_0-1711526829240.png

 

Please accept the solution and hit Karma, if this helps!

Reply

meetmshah
Builder
‎03-29-2024 11:35 PM

Hello @ezmo1982 , Just checking through if the issue was resolved or you have any further questions?

0 Karma
Reply

splunkbunk
Explorer
‎05-02-2023 08:18 AM

Ever find out if there's a way to do this?

0 Karma
Reply

splunketor
New Member
‎03-13-2024 08:39 AM

Hi,

I don't think it exists, I've inserted this question which also interests me as an idea for a proposal for future developments. You could add a vote to my idea https://ideas.splunk.com/ideas/ESSID-I-392 so that it is more visible and taken into consideration.

A thousand thanks

0 Karma
Reply

jopbakker94
Observer
‎03-21-2024 01:53 AM

Hi,

 

Not sure if this is what wou want, but is this not already an option in the Incident Review Settings page? When I enable this I am required to set a disposition other than the default of "undetermined".

** This is in Splunk ES 7.3.0 and it should have been added in ES 7.2

jopbakker94_0-1711010884989.png

jopbakker94_1-1711010939073.png

 

 

0 Karma
Reply

splunketor
New Member
‎03-21-2024 02:18 AM

Hi,

Thanks so much for the comment. I'm working on ES 7.2 this thing seems to still be missing. I will update the ES app soon so I will have this functionality back.

0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...