Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to make it mandatory to assign Owner to Notable Events in ES?

Raphy
Explorer
‎11-12-2024 03:58 AM

Hello,
In Splunk Enterprise security we would like to make it mandatory to define a Notable owner to be able to close a notable. We would like to avoid to have closed notables without assignee/owner.

Is there a way in Splunk Enterprise Security to make the owner required to close a notable ?

Than you very much in advance.

Happy Splunking.

Raphael

Labels (2)
0 Karma
Reply

meetmshah
Builder
‎11-24-2024 02:15 AM

Hello @Raphy AFAIK, there's no default method which mandates having owner assigned while closing the notable event.

That being said, you can do either of following - 

1. Have a default owner assigned - https://community.splunk.com/t5/Splunk-Enterprise-Security/Is-it-possible-to-auto-assign-notables-in...

2. Schedule a search which periodically give you list of notable where owner is not assigned - 

| inputlookup incident_review_lookup
| where status="Closed" AND isnull(owner)

 

Please accept the solution and hit Karma, if this helps!

Reply

Raphy
Explorer
‎11-28-2024 07:40 AM

Thank you very much for your answer !

0 Karma
Reply
Get Updates on the Splunk Community!

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

❄️ Welcome the new year with our January lineup of Community Office Hours, Tech Talks, and Webinars! 🎉 ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...