Configure how events are resolved
Set any tags needed before an event can be marked as resolved. Setting a custom field as a required tag updates the settings for the custom field.
To configure how an event is resolved, follow these steps:
- From the Home menu, select Administration.
- Select Event Settings > Resolution.
- Check the Require the Following Tags on Resolve checkbox.
- Type the names of any tags needed before an event or container can be marked as resolved. Tags can be removed by clicking the x next to the tag name.
- Set the action takes when artifacts are added to a resolved event. Select an action from the drop-down list that matches your business process.
- Select Keep Event Resolved to keep events resolved when new artifacts are added.
- Select Reopen Event to reopen any event that has a new artifact added.
- Select Duplicate Event to create a duplicate event, and then add the new artifact to the new event.
- Click Save Changes.
Configure the response times for service level agreements
Configure labels to apply to containers
This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.0.1
Feedback submitted, thanks!