Is it possible to make it mandatory to assign Owne...

Raphy · ‎11-12-2024

Hello,
In Splunk Enterprise security we would like to make it mandatory to define a Notable owner to be able to close a notable. We would like to avoid to have closed notables without assignee/owner.

Is there a way in Splunk Enterprise Security to make the owner required to close a notable ?

Than you very much in advance.

Happy Splunking.

Raphael

meetmshah · ‎11-24-2024

Hello @Raphy AFAIK, there's no default method which mandates having owner assigned while closing the notable event.

That being said, you can do either of following -

1. Have a default owner assigned - https://community.splunk.com/t5/Splunk-Enterprise-Security/Is-it-possible-to-auto-assign-notables-in...

2. Schedule a search which periodically give you list of notable where owner is not assigned -

| inputlookup incident_review_lookup
| where status="Closed" AND isnull(owner)

Please accept the solution and hit Karma, if this helps!

Raphy · ‎11-28-2024

Thank you very much for your answer !

Is it possible to make it mandatory to assign Owner to Notable Events in ES?

incident review

notable event

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation