Splunk Enterprise Security

Splunk ES: Best way to do a Yes/No or simple indicator for acceptance of an alert?

sssinqiry5
Engager

Hi all,

My team needs to clear an alert with a totally different department before we consider it "published" for the purposes of audit etc. I need a SIMPLE way to mark an alert as "in review"  that has the ability to make the distinction between "published" and "in review" clear on dashboards. 

Requirements:
1. something simple that a non-tech team won't mess up
2. readable by dashboards

Thanks in advance!

Labels (1)
0 Karma

sidoyle_
Explorer

I created a new "Security Domain" called Development, all my new rules have a notable that are then assigned to that until I am satisfied they are "in production" so to speak. Once they go in production i would put them into the relevant security domain.

This can easily be identified in the Incident Review Dashboard.

image.png

 

Hope this helps.

0 Karma
Get Updates on the Splunk Community!

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...

Splunk Answers Content Calendar, June Edition II

Get ready to dive into Splunk Dashboard panels this week! We'll be tackling common questions around ...

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...