How do you control who is in the drop down list of owners, so you can assign a ticket to someone else? It seems to have picked a bunch of random people and not the two people I need in there.
Make sure that the users you want to assign notable events to have the "can_own_notable_events" capability. Once you add that, you should see them in the list of people you can assign notable events to in a few minutes.
I belive your users need to be member of the "Security Analyst" (dont remmember the "correct" name) role
Read the docs, it is described in there how to setup / configure it correctly. 😉
Make sure that the users you want to assign notable events to have the "can_own_notable_events" capability. Once you add that, you should see them in the list of people you can assign notable events to in a few minutes.
The problem with this solution is that all Admins have the capability "can_own_notable_events" and they appear in the list among SOC analysts.
The woraround I found is to disable "es_notable_events" in Lookup definitions page, and edit the kv-store lookup "notable_owners" by the app "Splunk App for Lookup File Editing".
The impact of this solution is that newly added SOC members need to be added manually to the "notable_owners" lookup.