Splunk Enterprise Security

Splunk Enterprise Security 6.X - Notables not showing in Incident Management

QuintonS
Path Finder

Hi,

I have an issue at a customer where ES is not showing the notables on the incident management page or the security posture page. I have confirmed that the custom correlation searches are enabled, and they are successfully running and creating alerts looking at the "Activity" -> "Alerts" page.
I have found that the "Notables" Index is empty over the past 30 days.

Would really appreciate some assistance on this topic? as i have looked at all the articles on answers and cannot seem to find the issue.

0 Karma
1 Solution

QuintonS
Path Finder

Answering my own question here so that everyone is aware.

Problem was related to "Splunk_SA_cim" app. when installing this app on Search Heads (or SH clusters) be sure not to remove the "inputs.conf" as per the documentation. Splunk ES writes notables to disk and the inputs.conf within the CIM app then grabs these and writes to the "Notable" index which in turn allows the Incident management page to display the notables.

View solution in original post

QuintonS
Path Finder

Answering my own question here so that everyone is aware.

Problem was related to "Splunk_SA_cim" app. when installing this app on Search Heads (or SH clusters) be sure not to remove the "inputs.conf" as per the documentation. Splunk ES writes notables to disk and the inputs.conf within the CIM app then grabs these and writes to the "Notable" index which in turn allows the Incident management page to display the notables.

DavidHourani
Super Champion

tricky one 😉

0 Karma

skalliger
SplunkTrust
SplunkTrust

Your correlation search needs to run an adaptive response called "Notable" which then will create a notable event with all the necessary information to write into the notable index. Did you check that your CS has the notable action enabled?

Skalli

QuintonS
Path Finder

Hi,

Yes, we have checked this and all the custom CS's have got the notable action enabled.

Thanks

0 Karma

skalliger
SplunkTrust
SplunkTrust

Do you have the Monitoring Console enabled somewhere? Checked for skipped searches?

0 Karma

QuintonS
Path Finder

Yes, we do. I can see a couple of skipped searches, but when looking at the CS's in content management they have 100% success rate and no skipped searches at all.

0 Karma

skalliger
SplunkTrust
SplunkTrust

Okay, that's strange. Can you try to manually create a notable event and see whether the notable event gets created? https://docs.splunk.com/Documentation/PCI/4.1.0/Install/Notableevents#Create_a_notable_event_from_an...
What version of Core and ES are running?

0 Karma

QuintonS
Path Finder

manually created the notable from event actions, nothing in Notable index and nothing in Incident Management. We are running Splunk Enterprise 8.0.1 with ES 6.x.

Im stumped on this one! strange thing is that the custom CS's were creating notables and showing in the Incident managment page as well as the Notable Index, and then stopped on the 27th February for some reason.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...