Hello,
I’m working on a use case in Splunk SOAR where I’ve structured alerts using labels to separate visibility between teams. This allows each team to focus only on their own alerts, avoiding confusion and overlap. The access is controlled through roles, so a user/team only sees alerts tied to their specific label.
The challenge I’m facing is with cross-team assignments. If a user from Team A (with Label A) wants to assign or escalate an alert to someone in Team B (with Label B), this isn’t possible because they don’t have access to that other label.
I’d like to know:
Is there any supported method or workaround to allow cross-team assignment while still preserving restricted visibility?
If such a transfer/escalation is possible, can the alert be hidden from the original team’s view once it has been reassigned to the new team?
The goal is to maintain clean separation of alerts per team while still allowing escalation paths between them.
Any guidance or best practices would be greatly appreciated.
Thank you!
