I've created a correlation search, then I want to add the send email response action with a link to this rule that show on incident review page, it will be easy for my team to access to this incident by the email and do more action.
Please recommend, I don' t want the link to alert result, I want the link to the incident review page that show only the incident from this rule.
you can't have from the same correlation search.
you need to create a search that uses `notable` macro where this will provide unique id for each notable.
that is event_id.
you need to prepare splunk_url in a way that the url will redirect user to incident review page.
if you are using enterprise security.
| eval minusFive=_time-300,plusFive=_time+300
| eval splunk_url="https://instancename/en-US/app/SplunkEnterpriseSecuritySuite/incident_review?form.srch=event_id%3D"+event_id+"&form.srch=event_id%3D"+event_id+"&form.source="+search_name
+"&earliest="+minusFive+"&latest="+plusFive
you can't have from the same correlation search.
you need to create a search that uses `notable` macro where this will provide unique id for each notable.
that is event_id.
you need to prepare splunk_url in a way that the url will redirect user to incident review page.
if you are using enterprise security.
| eval minusFive=_time-300,plusFive=_time+300
| eval splunk_url="https://instancename/en-US/app/SplunkEnterpriseSecuritySuite/incident_review?form.srch=event_id%3D"+event_id+"&form.srch=event_id%3D"+event_id+"&form.source="+search_name
+"&earliest="+minusFive+"&latest="+plusFive