Splunk Enterprise Security
Highlighted

Rule_id's missing in incident_review_lookup for Correlation Search

Path Finder

Hi,

I am reviewing the results for the 'ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule' correlation search in Enterprise Security and when I click on 'View all review activity for this Notable Event' I get no results. I see it pulls ruleid's from the incidentreview_lookup however the rule id's it's looking for do not exist. Rule Id's for a different correlation search exist in the lookup but none for this search.

Any idea's what populates the lookup with rule id's? or what might prevent it from doing so?

Cheers

Sam

0 Karma