I am reviewing the results for the 'ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule' correlation search in Enterprise Security and when I click on 'View all review activity for this Notable Event' I get no results. I see it pulls ruleid's from the incidentreview_lookup however the rule id's it's looking for do not exist. Rule Id's for a different correlation search exist in the lookup but none for this search.
Any idea's what populates the lookup with rule id's? or what might prevent it from doing so?