We pushed the new app out on ES cluster. After the app push, old notable events are showing up as "assigned" and our SOC analysts are having to deal with 100s of old notable events.
Here is a procedure that could be attempted to fix the old notable that got unassigned.
- Check if the notable are unassigned on all SHC, if not maybe restore lookup incident_review_lookup
- Check for backup and see if restoring may be an option.
- The other option will be to re-build incident_review from audit data, which means we can only restore data for last 30days ( assuming audit retention is 30 days) Which means we can only rebuild for last 30 days.
|inputlookup incident_review_lookup
Back up the incident_review_lookup:
|inputlookup incident_review_lookup |outputlookup support.csv
Verify you back up the incident_review_lookup:
|inputlookup support.csv
Check audit for notable events set time picker to all time verify the data looks good:
index=_audit sourcetype=incident_review
| rex "@@\w+,(?