I assume you're talking about Enterprise Security.
There are a couple of starting points. The `notable` macro will give you notable events from the index.
Also if you look in the Security Posture dashboard, you will see the 'Top Notable Events' panel, which has a search you can expand to see where the data is coming from.
Note that the notable macro will take data from the notable index, whereas the es_notable_events takes data from the es_notable_events lookup file.
You can always see what a search containing a macro expands to by pressing Ctrl-Shift-E or Cmd-Shift-E (Mac) and it shows what the full expanded search looks like with no macros.
Hope this gets you started.