Hi @Mark_Heimer ,

did you modified only the Correlation Search name or also the Notable name?

in the Incident Review name you see the Notable name not the Correlations Search name.

In addition, I always prefer, when I clone a CS, move it in a custom app and don't release it in the Enterprise Security apps, in this way, I have all the customizations in a custom app, it isn't mandatory but you have a cleaner and more ordered situation.

Ciao.

Giuseppe

Hi dear Giuseppe,

thanks for fast reply.

here is what i did.

I click on Configure menu, then go on to Content/Content Management. From filers I select and check Correlation Search from the drop-down list. then from "Actions" on the top right corner i hit "Clone".

in the new window there are "New Search Label" which i add "- custom"  to the end of it. then i select the App and put it on "SA-AccessProtection".

next in "Edit Correlation Search " i  will make any change to the "Search" and click save. Done!

this is all i do.

The point is even if i enable both of them, the two will appear in the "Top Notable Events" pane and both are working simultaneously. clicking on the original rule redirects u to the "Incident Review" page with the correct rule selected as source. but when clicking on the cloned or newly created rule you'll be redirected to the "Incident Review" page with all incidents listed and source field has no selected value.

the strange part is that rules that i had created or cloned in the past (about ) are working fine.

Hi @Mark_Heimer ,

you should have, in the bottom of the form, the choice of the Adaptive Response Action, and between them you should have Create Notable.

In this part of the Form, you can modify the name of the Notable.

About the app, Splunk PS hints to save own Correlation Searches in a dedicated custom app not in "SA-AccessProtection".

Ciao.

Giuseppe

Hi  dear Giuseppe,

when i clone a rule, Adaptive Response Actions  options (i.e. Notable) and most of the times, Risk Analysis are present by default as are other fields and options the same as the original rule. that's why i clone a rule.

second, i used to do so for a long time but never had come up with this problem. and as you mentioned earlier my custom rules were working just fine.

about the app, i used my custom app and "SA-AccessProtection" was my last try.

And for newly created custom app i do create notable.

thanks

Hi @Mark_Heimer ,

obviously cloning a CS you have the same settings of the original one, so also the same Notable name.

My hint is to enter in the cloned Create Notable Adaptive Response Action, and modify the Notable Name, in this way, you'll have in the Incident View the modified name.

About the app to contain the custom CSs, this is an hint from PS.

Ciao.

Giuseppe

Hi,

Another strange thing that happens to me and i just realized is that when i refresh the page "incident Review" with correctly loaded filters and showing true notable results, the filter "source" becomes something like this:

source: Access%20-%20Excessive%20Failed%20Logins%20-%20Rule

And no results are shown on the page after page refresh.

thanks.

Hi @Mark_Heimer ,

check how you created the drilldown filter, because these are html codes.

Ciao.

Giuseppe

Hi Giuseppe,

I did exactly what you said. but no luck!

In another try, I even created a search and saved it as an alert, named it "rule-4444" then added a notable to it as an action.

it appeared as "rule-4444" in the "Top Notable Events" in the Security Posture page. but when i click on it, it is redirected to incident review page but again all incidents listed.

the same thing as ravida says happening.

when u first click on it, you can see the notable name in the URL after (incident review page )"/incident_review?form.rule_name=rule-4444" followed by earliest/latest timestamps

but after a while when the page load completes it disappears and is replaced with a new URL which only has the earliest/latest values

Hi @ravida,

I never experienced this behavior and I'm using many custom Correlation Searches,

Is this issue present for all the CS or only for that?

Ciao.

Giuseppe

It happens for all of them.

The strange part is, when i first click, you can see the notable name in the URL after "/incident_review?form.rule_name=(rule name)" followed by earliest/latest timestamos

but after a moment it disappears and is replaced with a new URL which only has the earliest/latest values 

Hi @ravida ,

as I said, I never experienced this behavior and I'm using many custom Correlation Searches,

Open a case to Splunk Support.

Ciao.

Giuseppe

They are blank. I was under the impression these are for showing the contributing events. Although I am trying to get the "Incident Review" to only show those notables in the list, instead of all notables.