Splunk Enterprise Security

Enterprise Security: why the incidents don't show up in the lookup?

Motivator

With all the help from @solarboyz1, the correlation searches produce now notable events, which show up in the Incident Review page.

index=notable shows them but | inputlookup incident_review_lookup shows zero results.

Why is that?

Tags (1)
0 Karma
1 Solution

Builder

The state and ownership information are stored in the incident_review_lookup

Until an action is taken on the notable, I don't believe anything will stored for it in incident_review_lookup

http://dev.splunk.com/view/enterprise-security/SP-CAAAFA9

View solution in original post

Motivator

Once you assign the notable event/incident to an user, you can notice records in incident_review_lookupfile.

Motivator

Right, just saw it running and | inputlookup incident_review_lookup shows the assigned incident.

0 Karma

Builder

The state and ownership information are stored in the incident_review_lookup

Until an action is taken on the notable, I don't believe anything will stored for it in incident_review_lookup

http://dev.splunk.com/view/enterprise-security/SP-CAAAFA9

View solution in original post