Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to make it mandatory to assign Dispositions to Notable Events in ES?

ezmo1982
Path Finder
‎06-24-2022 04:06 AM

Hi,

Notable events in ES can now be assigned Dispositions. I am able to create new Dispositions from the Incident Review page and enable/disable them. From the reviewsettings.conf file i can also set a default one, set it to Hidden etc.

However I am looking see if there is a way for Dispositions are required to be set when anyone edits a notable event from the Incident Review tab. I want to have "Unassigned" as the default one. But then require any of the others to be assigned when a notable is edited. Kind of similar to the way Comments can be set to Required. Basically i need them to be mandatory.

Anyone know of a way to do this?

Labels (2)
Reply

meetmshah
Builder
‎03-27-2024 01:08 AM

Hello @ezmo1982,

Yes, the exact feature was released in ES 7.2.0 - https://docs.splunk.com/Documentation/ES/7.2.0/RN/Enhancements as a part of https://ideas.splunk.com/ideas/ESSID-I-189

 

meetmshah_0-1711526829240.png

 

Please accept the solution and hit Karma, if this helps!

Reply

meetmshah
Builder
‎03-29-2024 11:35 PM

Hello @ezmo1982 , Just checking through if the issue was resolved or you have any further questions?

0 Karma
Reply

splunkbunk
Explorer
‎05-02-2023 08:18 AM

Ever find out if there's a way to do this?

0 Karma
Reply

splunketor
New Member
‎03-13-2024 08:39 AM

Hi,

I don't think it exists, I've inserted this question which also interests me as an idea for a proposal for future developments. You could add a vote to my idea https://ideas.splunk.com/ideas/ESSID-I-392 so that it is more visible and taken into consideration.

A thousand thanks

0 Karma
Reply

jopbakker94
Observer
‎03-21-2024 01:53 AM

Hi,

 

Not sure if this is what wou want, but is this not already an option in the Incident Review Settings page? When I enable this I am required to set a disposition other than the default of "undetermined".

** This is in Splunk ES 7.3.0 and it should have been added in ES 7.2

jopbakker94_0-1711010884989.png

jopbakker94_1-1711010939073.png

 

 

0 Karma
Reply

splunketor
New Member
‎03-21-2024 02:18 AM

Hi,

Thanks so much for the comment. I'm working on ES 7.2 this thing seems to still be missing. I will update the ES app soon so I will have this functionality back.

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...