How does the results of the correlation events go to "notable" index ?
Is there any configuration file for this ?
Also , If i manually call a correlation search , will that results also goes to notable index?
The events are sent to the notable index via a summary indexing alert action. Below is a sample of a correlation searches alert action that summary indexes the results:
[Endpoint - Host Sending Excessive Email - Rule]
action.summary_index = 1
action.summary_index._name = notable
action.summary_index.ttl = 1p
Manually running the search interactively won't trigger the alert actions (that is something that the scheduler does).