Splunk Enterprise Security

Rule_id's missing in incident_review_lookup for Correlation Search

Path Finder


I am reviewing the results for the 'ESCU - DNS Query Requests Resolved by Unauthorized DNS Servers - Rule' correlation search in Enterprise Security and when I click on 'View all review activity for this Notable Event' I get no results. I see it pulls ruleid's from the incidentreview_lookup however the rule id's it's looking for do not exist. Rule Id's for a different correlation search exist in the lookup but none for this search.

Any idea's what populates the lookup with rule id's? or what might prevent it from doing so?



0 Karma