Splunk Enterprise Security

Splunk ES - How to ddd a Status to Incident Review Dashboard?

sswansonchtr
Path Finder

Under the 'Incident Review' dashboard, I want to add a Status type of 'False Positive' so I can easily find these and use them to help me tune the correlations etc. I found that I can change this lookup file: /splunk/app/splunk/etc/apps/SA-ThreatIntelligence/lookups/reviewstatuses.csv and it will show up correctly in the top fields for searching/filtering. This goes away on a refresh/reload of the service though. Also, editing this file, does not show the new Status type as an option when 'editing' events in the bottom panel.

Labels (1)
0 Karma
1 Solution

LukeMurphey
Champion

Use the notable event statuses editor to add a review status. That page will also help you define who and how statuses are allowed to be transitioned.

View solution in original post

LukeMurphey
Champion

Use the notable event statuses editor to add a review status. That page will also help you define who and how statuses are allowed to be transitioned.

sswansonchtr
Path Finder

Thanks for the info. I tried this and it will stay after I refresh/reload splunk but I still don't get an option to label the event as that new status. It only shows up in the filtering options. Not when I select to edit the event. Not sure if it only applied to new notables so I will wait until I get one.

0 Karma

rsteffes
Engager

In case anyone else is unable to see their custom event status in the "Edit Events" menu, you have to edit the existing statuses in the status editor and give user groups authorization to transition the status to your new custom status.

n00b
Explorer

2.5 years later, still useful. This is what I was missing.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...