Hello all,

I am struggling with customizing my Splunk ES's Incident Review panel. I have integrated Suricata IDS logs to ES (using Splunk CIM and TA-Suricata) and I would like to output Suricata alerts as notable events in Splunk ES.

Facts:
1. I have created a Splunk Correlation search in Content Management "Suricata Medium Severity Alert" which has a custom search:

index=suricata sourcetype=suricata event_type=alert alert.severity=2

2. In Adaptive Response Actions I added a Notable with the following custom settings:

Title: $signature$  (in order to output the Suricata Alert Signature Title)
Description: A medium severity alert ($signature_id$) was triggered on $src$

Notes:
- Search runs every 5minutes.
- I save and enable the Correlation search and I see that a Saved Search "Threat - Suricata Medium Severity Alert - Rule" is created.

What is the problem:
- In the Incident Review console though the new Notable's "Title" has the Saved Searches' title ("Threat - Suricata Medium Severity Alert - Rule") and not the custom title ($signature$) (ET POLICY SMB2 NT Create AndX Request For an Executable File) set on the Notable action event.
- Description: is "unknown"

Notes:
- The Notable event is successfully created and it contains all variable fields (src, signature, signature_id).
- All fields are shown on Additional info on the notable, but the point is that variables do not show

Troubleshooting done so far:
- Deleted and recreated Corellation searches and Saved Searches
- Restarted Splunk
- Rebooted OS

Splunk Version: 6.2.2 (Distributed Environment)
Splunk ES: 6.6.0
Splunk CIM: 4.20.0

Any help would be appreciated.

Regards,

Chris