https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-enrich-notable-events-in-ES/m-p/660401#M11743 <P>Have you consulted resources like these?<BR /><BR /><A href="https://lantern.splunk.com/Security/UCE/Prioritized_Actions/Threat_intelligence/Using_threat_intelligence_in_Splunk_Enterprise_Security?_ga=2.158226682.1710119261.1697025883-338010800.1672937249&amp;_gl=1%2Aigs7z5%2A_ga%2AMzM4MDEwODAwLjE2NzI5MzcyNDk.%2A_ga_GS7YF8S63Y%2AMTY5NzAzMzQwMS45NS4xLjE2OTcwMzM5MDkuNDYuMC4w%2A_ga_5EPM2P39FV%2AMTY5NzAzMzQwMS4xMjMuMS4xNjk3MDMzOTIxLjAuMC4w" target="_blank" rel="noopener">Using threat intelligence in Splunk Enterprise Security</A>&nbsp;<BR /><BR /><A href="https://lantern.splunk.com/Security/Getting_Started/Unified_App_for_ES%3A_Enrich_and_submit_notable_events_-_Splunk_Intelligence_Management_(TruSTAR)" target="_blank" rel="noopener">Unified App for ES: Enrich and submit notable events - Splunk Intel Management (TruSTAR)</A>&nbsp;</P> Wed, 11 Oct 2023 14:21:57 GMT JohnEGones 2023-10-11T14:21:57Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-enrich-notable-events-in-ES/m-p/659699#M11730 <P>Hello all,</P> <P>&nbsp;We are wanting to enrich events as they become notables in ES before they are sent onto Mission control. Thoughts being, enrich the event via some sort of search ( all the data will be in splunk already) to add , DNS, DHCP, Threat intel and some endpoint data.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;Is it possible to have a search run for the notable index to gather information from other indexes and add them to the notable event?&nbsp; If so I would love to discuss.</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 04 Oct 2023 21:44:41 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-enrich-notable-events-in-ES/m-p/659699#M11730 cjharmening 2023-10-04T21:44:41Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-enrich-notable-events-in-ES/m-p/660401#M11743 <P>Have you consulted resources like these?<BR /><BR /><A href="https://lantern.splunk.com/Security/UCE/Prioritized_Actions/Threat_intelligence/Using_threat_intelligence_in_Splunk_Enterprise_Security?_ga=2.158226682.1710119261.1697025883-338010800.1672937249&amp;_gl=1%2Aigs7z5%2A_ga%2AMzM4MDEwODAwLjE2NzI5MzcyNDk.%2A_ga_GS7YF8S63Y%2AMTY5NzAzMzQwMS45NS4xLjE2OTcwMzM5MDkuNDYuMC4w%2A_ga_5EPM2P39FV%2AMTY5NzAzMzQwMS4xMjMuMS4xNjk3MDMzOTIxLjAuMC4w" target="_blank" rel="noopener">Using threat intelligence in Splunk Enterprise Security</A>&nbsp;<BR /><BR /><A href="https://lantern.splunk.com/Security/Getting_Started/Unified_App_for_ES%3A_Enrich_and_submit_notable_events_-_Splunk_Intelligence_Management_(TruSTAR)" target="_blank" rel="noopener">Unified App for ES: Enrich and submit notable events - Splunk Intel Management (TruSTAR)</A>&nbsp;</P> Wed, 11 Oct 2023 14:21:57 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-enrich-notable-events-in-ES/m-p/660401#M11743 JohnEGones 2023-10-11T14:21:57Z