Hello Everyone,

Currently I am using ES 7.1.0 version. Recently but not sure exactly when, Maintenance team upgraded Splunk and ES.

I was seperating types of security incidents by creating and using Security Domains from security_domains.csv manually . As You know, there are 2 fields in the csv : security_domain and label. For example I've created a new security domain filling both of these columns named "EPP Endpoint", whenever a notable was created, It was creating as "Epp endpoint" which I haven't created like that. I mean I was expecting like "EPP Endpoint - my rule name - Rule" but This wasn't working as I expected. 

Somehow without changing anything in security domains, I created another notable with It's domain "EPP Endpoint". Now My new notables are created as I expected before. For example : "EPP Endpoint - my new rule - Rule". I thought maybe It is relevant with the upgrade but I checked release notes and known issues, couldnt find any clue.

Also in correlationsearches.csv lookup, I can still see the difference but my new notables are created as I expected. 

I wonder Why it is working in 2 ways. It affects my whole architecture because I am fetching these notables into my SOAR and I have to define my correlations in order to determine It's types in SOAR and If I don't define correctly, then this notable won't be classified in a true way. What I mean is "Epp endpoint - rulename - Rule" and "EPP Endpoint - rulename - Rule" differs.

I hope someone can help me with this issue. Thanks in advance.