Splunk Enterprise Security

Splunk Enterprise Security 6.X - Notables not showing in Incident Management

QuintonS
Path Finder

Hi,

I have an issue at a customer where ES is not showing the notables on the incident management page or the security posture page. I have confirmed that the custom correlation searches are enabled, and they are successfully running and creating alerts looking at the "Activity" -> "Alerts" page.
I have found that the "Notables" Index is empty over the past 30 days.

Would really appreciate some assistance on this topic? as i have looked at all the articles on answers and cannot seem to find the issue.

0 Karma
1 Solution

QuintonS
Path Finder

Answering my own question here so that everyone is aware.

Problem was related to "Splunk_SA_cim" app. when installing this app on Search Heads (or SH clusters) be sure not to remove the "inputs.conf" as per the documentation. Splunk ES writes notables to disk and the inputs.conf within the CIM app then grabs these and writes to the "Notable" index which in turn allows the Incident management page to display the notables.

View solution in original post

QuintonS
Path Finder

Answering my own question here so that everyone is aware.

Problem was related to "Splunk_SA_cim" app. when installing this app on Search Heads (or SH clusters) be sure not to remove the "inputs.conf" as per the documentation. Splunk ES writes notables to disk and the inputs.conf within the CIM app then grabs these and writes to the "Notable" index which in turn allows the Incident management page to display the notables.

DavidHourani
Super Champion

tricky one 😉

0 Karma

skalliger
Motivator

Your correlation search needs to run an adaptive response called "Notable" which then will create a notable event with all the necessary information to write into the notable index. Did you check that your CS has the notable action enabled?

Skalli

QuintonS
Path Finder

Hi,

Yes, we have checked this and all the custom CS's have got the notable action enabled.

Thanks

0 Karma

skalliger
Motivator

Do you have the Monitoring Console enabled somewhere? Checked for skipped searches?

0 Karma

QuintonS
Path Finder

Yes, we do. I can see a couple of skipped searches, but when looking at the CS's in content management they have 100% success rate and no skipped searches at all.

0 Karma

skalliger
Motivator

Okay, that's strange. Can you try to manually create a notable event and see whether the notable event gets created? https://docs.splunk.com/Documentation/PCI/4.1.0/Install/Notableevents#Create_a_notable_event_from_an...
What version of Core and ES are running?

0 Karma

QuintonS
Path Finder

manually created the notable from event actions, nothing in Notable index and nothing in Incident Management. We are running Splunk Enterprise 8.0.1 with ES 6.x.

Im stumped on this one! strange thing is that the custom CS's were creating notables and showing in the Incident managment page as well as the Notable Index, and then stopped on the 27th February for some reason.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...