We are attempting to make Splunk fit into our compliance needs. The auditors want us to check for certain things on the network (user locked out, user added to security group, etc) and verify each day that we checked.
We were doing this with Alert Logic previously. Basically, Alert Logic had an internal "cases" interface where each search would put a "case" in the list to be reviewed. If it found something, one employee notes the reason after investigation and another employee closes it. Auditors want "dual control" to prevent one admin from falsifying things I guess.
The part where it gets tricky is when a search finds nothing. The auditors would like us to confirm that we checked even those "no findings" reports. Alert Logic did this out of the box (before they started changing their product to something wholly unrecognizable to us) and Splunk seemed to do it but I'm finding it's tougher than first thought.
The "cases" interface could be had via the Alert Manager app or InfoSec app, neither of which are functioning in my cloud trial. I've resorted to an e-mail to a free Jira cloud instance to get these cases. Accepting that, I need to figure out how to get an alert to trigger both for no items found and for items found. The trigger options force me to choose.
Any help is appreciated. I've been working with Splunk support on this and they think some of the apps not working are due to the trial but they can't seem to get the alert triggering going. I'm sure there is a phrase I can stick in "custom" that'll work. I just don't know what. Thank you in advance.