- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk ES: Best way to do a Yes/No or simple indicator for acceptance of an alert?
sssinqiry5
Engager
06-23-2022
07:44 AM
Hi all,
My team needs to clear an alert with a totally different department before we consider it "published" for the purposes of audit etc. I need a SIMPLE way to mark an alert as "in review" that has the ability to make the distinction between "published" and "in review" clear on dashboards.
Requirements:
1. something simple that a non-tech team won't mess up
2. readable by dashboards
Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sidoyle_
Explorer
06-23-2022
08:00 AM
I created a new "Security Domain" called Development, all my new rules have a notable that are then assigned to that until I am satisfied they are "in production" so to speak. Once they go in production i would put them into the relevant security domain.
This can easily be identified in the Incident Review Dashboard.
Hope this helps.
