Configure Incident Workflow
Notable event statuses are used to manage the workflow of notable events in the Splunk App for PCI Compliance. Most users do not need to change these settings from the default. The workflow status of a notable event enables you to manage PCI compliance workflow and events.
The default incident workflow is for a new event to be changed from Unassigned to Assigned and the status changed from New to In Progress. From there, the PCI compliance analyst can troubleshoot the issue. If there is some action that needs to be taken, the status might be changed to Pending, or it might go straight to Resolved. To move from Resolved to Closed the event must then be verified by another party (admin).
Notable event options
By default, a notable event in the Incident Review dashboard is assigned a status of New and owner Unassigned. The initial urgency is determined when the notable event is generated, and is based on the severity of the event and the priority of the asset corresponding to the event. The correlation searches define the event's severity. The asset table defines an asset's priority.
Notable event options
Notable Event Status | Description |
---|---|
Unassigned | An error is preventing the issue from having a valid status assignment. |
New (default) | The event has not yet been reviewed. |
In Progress | Investigation or response is in progress. |
Pending | Event closure is pending some action. |
Resolved | Issue is resolved and awaits verification. |
Closed | Event or issue is resolved and verified. |
Urgency level (a computed value) | Description |
Informational | Event is informational only. |
Low | Event has low urgency. |
Medium | Event has medium urgency. |
High | Event has high urgency. |
Critical | Event has critical urgency. |
Owner | Description |
unassigned | Event is unassigned. |
admin | Event is assigned to admin. |
pcianalyst | Event is assigned to pci analyst. |
pciadmin | Event is assigned to pci admin. |
Modify notable event workflow fields and values
An individual notable event can be modified from the Incident Review dashboard.
To modify a notable event:
1. Select an event and check the box next to it.
2. Click Edit selected events to open the Edit Event panel. From here you can change status of the event, assign it to a PCI compliance administrator (pciadmin
), and add a comment.
3. When you are done, click Save Changes.
Modify log review settings
The Comment field can be set so that a comment must be entered when an event is edited. PCI compliance analysts might be required to enter comments when reviewing notable events to improve the quality of records. In most PCI compliance configurations, comments are mandatory for changing the characteristics of an event. This saves tracking down the person to understand why they did what they did, and creates a more complete audit record.
Mandatory commenting is an optional feature. By default, it is turned off. To enable mandatory commenting, go to Configure > Incident Management > Incident Review Setting > Comments. Select Comment Required and specify a minimum comment length.
If the modified event is not displayed when the Incident Review dashboard refreshes, check to see that the filters at the top of the dashboard are not removing the modified events (for example, search for "New" when the event is changed to "In Progress").
Edit notable event status
The default notable event statuses can be edited or a new status can be added. Before editing or adding any status, plan out the status workflow to be used in the enterprise.
The workflow can be implemented using the Notable Event Statuses editor to manage notable event statuses, status transitions, default status, and user authorization.
1. To implement this new workflow, use the Notable Event Status panel. Go to Configure > Incident Management > Notable Event Statuses.
2. Change the details of a notable event by clicking on a label. Individual events can be enabled or disabled.
3. The Edit Notable Event Status panel shows the label, the description, the status, and the status transitions for a particular event.
- a. Click the Default status check box to assign this status to any new notable event. Only one notable event status can have "Default status" checked. Whenever a new notable event is noted, it is assigned this status if the "Default status" checkbox is checked.
- b. Click End status to configure this status so that it cannot be transitioned to another status. This particular event status becomes terminal.
- c. Click Enabled to enable this status for notable events.
4. Click Save after making your edits to implement the changes.
Status transitions
The Splunk App for PCI Compliance provides a default set of workflow status transitions.
Status transitions include:
- New - transitions to In Progress when event is being investigated or reviewed
- In Progress - transitions to Pending when closure is pending some action
- Pending - transitions to Resolved when event is resolved but not verified
- Resolved - transitions to Closed after verification
- Closed - the issue has been resolved and verified
Some of these statuses can be disabled from the Edit Notable Event Status panel. Go to Configure > Incident Management > Notable Event Statuses. To disable a status, click Disable.
User authorization
Authorization for each status transition can be assigned to specific user roles. For example, a pciadmin
can close an issue, while a pcianalyst
can assign an event and change its status from New to In Progress.
See "Configure user roles" in this document for more information about user roles and their permissions.
Notable event suppression
Click Configure on the menu bar to open the Configuration panel.
Click Incident Management. Click Notable Event Suppressions on the Configuration panel to review the status of events on the Notable Event Suppression panel.
Suppressing notable events
When a notable event is suppressed, it suppresses events that are already in the notable index that you do not want to appear on the dashboards.
Use Notable Event Suppressions to view, modify, or delete notable event suppressions.
Go to Configure > Incident Management > Notable Event Suppressions.
Create notable event suppressions
1. Select Configure > Incident Management > Notable Event Suppressions.
2. Click New to create a new notable event suppression.
3. Add information to the fields and click Save.
See "How to suppress notable event filters" in this manual for information about how to create a notable event suppression.
Edit or disable notable events suppressions
1. Go to Configure > Incident Management > Notable Event Suppressions.
2. Click the name of the event to edit.
3. In the editor, make the desired changes.
4. Click Save.
To disable (or enable) an individual notable event suppression:
1. Click the label next to the event name to enable or disable individual notable event suppressions.
2. Click Save.
Audit suppression activity
The Notable Event suppression activity is shown in the Suppression Audit dashboard.
To audit suppression activity go to Audit > Suppression Audit.
Throttling
Throttling occurs before events are added to the notable event index. This means that throttled events are not added to the notable index. Throttling prevents the duplication of related events.
Suppression
Suppression is applied to events that are already in the notable index. Suppression is used for events on which you cannot currently act and do not want to appear in dashboards. Suppression hides alerts that you do not want to see.
Notable events | Plan the upgrade |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1
Feedback submitted, thanks!