This one is, in a sense, a continuation of Enterprise Security: How can I trace the notable events?
Running - index=_internal component=SavedSplunker status=success sourcetype=scheduler indextime2 result_count>0 suppressed=0 app=SplunkEnterpriseSecuritySuite
for the past 24 hours and I get 10 events.
However, index=notable
returns 0 events and I verified that the notable index exists.
@danielbb Was there any event that would satisfy the correlation searches and would trigger notable event? The query you posted just shows the scheduled jobs running on ES , it doesn't mean that there was a condition met for notable events in correleation searches.
Also make sure you have sufficient permissions to access notable index.
@danielbb Was there any event that would satisfy the correlation searches and would trigger notable event? The query you posted just shows the scheduled jobs running on ES , it doesn't mean that there was a condition met for notable events in correleation searches.
Also make sure you have sufficient permissions to access notable index.
@solarboyz1 explained in the "parent" thread, if I understand it correctly, that a notable event should be produced.
I do have access to this index...
@danielbb Sorry I didn't know there was a parent thread. Yes that's correct a notable event or Indicator of Compromise should be produced in order to populate notable index. You can create a test correlation search and test it with any event , just to check . Any event in . notable index would update the Security Posture Dashboard and Incident Review dashboard.
Great. I just updated the parent one and alert_actions
is actually empty in my case.