Does Splunk Enterprise provides any API to retrieve or modify Incidents by RestAPI? Example: Get Incident information Change Incident Status Change Incident Severity Change Incident...
I want to create a default search filter for ALL users that go into ES IncidentReview. You can create a new filter but this I believe gets saved in your profile... I go into /splunk/e...
...S/latest/Admin/Customizenotables This basically says you can add additional fields, but this will apply to all Notables in IncidentReview.
My question is if other notables that have d...
Hi at all,
I tried to customize the IncidentReview Dashboard to display some additional fields as user, src or dest, as described in the Enterprise Security Admin course.
At first I found that t...
Can I add comment field as table attribute in incidentreview page. For that what would be field name so I can map it with my custom lable. Where the field name I can find for owner & status a...
Hello, we just updated ES from 6.4 to 6.6. The new incidentreview dashboard completely ignores suppressed events, showing them in the list. Is this a known issue or something caused by the u...
...vents in Splunk ES incidentreview dashboard.
While investigating the events, mostly those are false positive.
In the notable events, we could see success count is 320 and failed attempt count i...
Hi All, Under IncidentReview, is there a way to merge/consolidate triggered alerts of the same type and same host into one ? By default it shows every single alert even though its f...