Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to make it mandatory to assign Owner to Notable Events in ES?

Raphy
Explorer
‎11-12-2024 03:58 AM

Hello,
In Splunk Enterprise security we would like to make it mandatory to define a Notable owner to be able to close a notable. We would like to avoid to have closed notables without assignee/owner.

Is there a way in Splunk Enterprise Security to make the owner required to close a notable ?

Than you very much in advance.

Happy Splunking.

Raphael

Labels (2)
0 Karma
Reply

meetmshah
Builder
‎11-24-2024 02:15 AM

Hello @Raphy AFAIK, there's no default method which mandates having owner assigned while closing the notable event.

That being said, you can do either of following - 

1. Have a default owner assigned - https://community.splunk.com/t5/Splunk-Enterprise-Security/Is-it-possible-to-auto-assign-notables-in...

2. Schedule a search which periodically give you list of notable where owner is not assigned - 

| inputlookup incident_review_lookup
| where status="Closed" AND isnull(owner)

 

Please accept the solution and hit Karma, if this helps!

Reply

Raphy
Explorer
‎11-28-2024 07:40 AM

Thank you very much for your answer !

0 Karma
Reply
Get Updates on the Splunk Community!

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Top