Is it possible to create notable events in Splunk Cloud or is it only native to Enterprise Security? The detection rule below is creating actions=risk, notable and assigning some parameters in the notable event. Is it possible to implement this rule as it is with actions notable events in Splunk Cloud or is it only possible in Enterprise Security? I know the alert can be created in Splunk Cloud with its alerting feature, but I am wondering if we need to modify the actions part of the detection rule if notable events do not exist in Splunk Cloud. Thank you.
[Possible Remote Administration Tools Detected (via office365)]
alert.severity = 3
description = Remote administration tool is software that helps the administrator or attacker to receive full control of the targeted device.
cron_schedule = 0 * * * *
disabled = 1
is_scheduled = 1
is_visible = 1
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
search = index=* ((Operation="FileUploaded" OR Operation="FileAccessed" OR Operation="FileDownloaded")
alert.suppress = 0
alert.track = 1
actions = risk,notable
action.risk = 1
action.risk.param._risk_object_type = user
action.risk.param._risk_score = 75
action.correlationsearch = 0
action.correlationsearch.enabled = 1
action.notable.param.rule_title = Possible Remote Administration Tools Detected (via office365)
action.notable.param.rule_description = Remote administration tool is software that helps the administrator or attacker to receive full control of the targeted device.
action.correlationsearch.label = Possible Remote Administration Tools Detected (via office365)
action.correlationsearch.annotations = {"mitre_attack": ["T1204"]}
