Splunk Enterprise Security

Additional field is not populating in ES inscident review page for the AWS cloudtail correlation search.


I have created correlation search to get the alert for the aws cloudtrail activity in enterprise security. Alert is triggering but not populating any Additional field in the incident review page.
What are the ahnges needs to do to get the additional fields in the incident review page for aws cloudtrail alert.

0 Karma