Splunk Enterprise Security

Splunk Enterprise Security 6.X - Notables not showing in Incident Management

QuintonS
Path Finder

Hi,

I have an issue at a customer where ES is not showing the notables on the incident management page or the security posture page. I have confirmed that the custom correlation searches are enabled, and they are successfully running and creating alerts looking at the "Activity" -> "Alerts" page.
I have found that the "Notables" Index is empty over the past 30 days.

Would really appreciate some assistance on this topic? as i have looked at all the articles on answers and cannot seem to find the issue.

0 Karma
1 Solution

QuintonS
Path Finder

Answering my own question here so that everyone is aware.

Problem was related to "Splunk_SA_cim" app. when installing this app on Search Heads (or SH clusters) be sure not to remove the "inputs.conf" as per the documentation. Splunk ES writes notables to disk and the inputs.conf within the CIM app then grabs these and writes to the "Notable" index which in turn allows the Incident management page to display the notables.

View solution in original post

QuintonS
Path Finder

Answering my own question here so that everyone is aware.

Problem was related to "Splunk_SA_cim" app. when installing this app on Search Heads (or SH clusters) be sure not to remove the "inputs.conf" as per the documentation. Splunk ES writes notables to disk and the inputs.conf within the CIM app then grabs these and writes to the "Notable" index which in turn allows the Incident management page to display the notables.

DavidHourani
Super Champion

tricky one 😉

0 Karma

skalliger
Motivator

Your correlation search needs to run an adaptive response called "Notable" which then will create a notable event with all the necessary information to write into the notable index. Did you check that your CS has the notable action enabled?

Skalli

QuintonS
Path Finder

Hi,

Yes, we have checked this and all the custom CS's have got the notable action enabled.

Thanks

0 Karma

skalliger
Motivator

Do you have the Monitoring Console enabled somewhere? Checked for skipped searches?

0 Karma

QuintonS
Path Finder

Yes, we do. I can see a couple of skipped searches, but when looking at the CS's in content management they have 100% success rate and no skipped searches at all.

0 Karma

skalliger
Motivator

Okay, that's strange. Can you try to manually create a notable event and see whether the notable event gets created? https://docs.splunk.com/Documentation/PCI/4.1.0/Install/Notableevents#Create_a_notable_event_from_an...
What version of Core and ES are running?

0 Karma

QuintonS
Path Finder

manually created the notable from event actions, nothing in Notable index and nothing in Incident Management. We are running Splunk Enterprise 8.0.1 with ES 6.x.

Im stumped on this one! strange thing is that the custom CS's were creating notables and showing in the Incident managment page as well as the Notable Index, and then stopped on the 27th February for some reason.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...