Notables Are Not Being Created

daniaabujuma · ‎09-06-2023

Hi Splunkers!

I am using Splunk Enterprise Security, and creating correlation searches, one of them I have created and tested manually by running the search over a specific period of time, many events matched, but no notable events are being created. To test my correlation, I have added another action (send email) when the correlation is triggered, and sure enough, an email was sent to me.

Can anyone help me solve this issue?

gcusello · ‎09-06-2023

Hi @daniaabujuma,

a very stupid question: did you created as Requested Action the Notable creation?

Notable Creation isn't enabled by default.

If yes, check the parameters you used.

Ciao.

Giuseppe

daniaabujuma · ‎09-06-2023

Hi @gcusello ,

Thanks for the reply.

This is what I did, it works every time without issues but I noticed that recently the newly created correlations aren't creating notables when triggered.

gcusello · ‎09-06-2023

Hi @daniaabujuma,

check if the options in the Notable crattion are the same of other Notables that are usually triggered.

Ciao.

Giuseppe

daniaabujuma · ‎09-06-2023

Hello @gcusello ,

Yes everything is the exact same

gcusello · ‎09-06-2023

Hi @daniaabujuma,

check the Correlation Search Name: it must be different than others, otherwise you cannot distinguish it from the others.

Ciao.

Giuseppe

Notables Are Not Being Created

alert action

alert condition

throttling

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?