Splunk Enterprise Security
Highlighted

Splunk Enterprise Security 6.X - Notables not showing in Incident Management

Path Finder

Hi,

I have an issue at a customer where ES is not showing the notables on the incident management page or the security posture page. I have confirmed that the custom correlation searches are enabled, and they are successfully running and creating alerts looking at the "Activity" -> "Alerts" page.
I have found that the "Notables" Index is empty over the past 30 days.

Would really appreciate some assistance on this topic? as i have looked at all the articles on answers and cannot seem to find the issue.

0 Karma
Highlighted

Re: Splunk Enterprise Security 6.X - Notables not showing in Incident Management

SplunkTrust
SplunkTrust

Your correlation search needs to run an adaptive response called "Notable" which then will create a notable event with all the necessary information to write into the notable index. Did you check that your CS has the notable action enabled?

Skalli

Highlighted

Re: Splunk Enterprise Security 6.X - Notables not showing in Incident Management

Path Finder

Hi,

Yes, we have checked this and all the custom CS's have got the notable action enabled.

Thanks

0 Karma
Highlighted

Re: Splunk Enterprise Security 6.X - Notables not showing in Incident Management

SplunkTrust
SplunkTrust

Do you have the Monitoring Console enabled somewhere? Checked for skipped searches?

0 Karma
Highlighted

Re: Splunk Enterprise Security 6.X - Notables not showing in Incident Management

Path Finder

Yes, we do. I can see a couple of skipped searches, but when looking at the CS's in content management they have 100% success rate and no skipped searches at all.

0 Karma
Highlighted

Re: Splunk Enterprise Security 6.X - Notables not showing in Incident Management

SplunkTrust
SplunkTrust

Okay, that's strange. Can you try to manually create a notable event and see whether the notable event gets created? https://docs.splunk.com/Documentation/PCI/4.1.0/Install/Notableevents#Create_a_notable_event_from_an...
What version of Core and ES are running?

0 Karma
Highlighted

Re: Splunk Enterprise Security 6.X - Notables not showing in Incident Management

Path Finder

manually created the notable from event actions, nothing in Notable index and nothing in Incident Management. We are running Splunk Enterprise 8.0.1 with ES 6.x.

Im stumped on this one! strange thing is that the custom CS's were creating notables and showing in the Incident managment page as well as the Notable Index, and then stopped on the 27th February for some reason.

0 Karma
Highlighted

Re: Splunk Enterprise Security 6.X - Notables not showing in Incident Management

Path Finder

Answering my own question here so that everyone is aware.

Problem was related to "SplunkSAcim" app. when installing this app on Search Heads (or SH clusters) be sure not to remove the "inputs.conf" as per the documentation. Splunk ES writes notables to disk and the inputs.conf within the CIM app then grabs these and writes to the "Notable" index which in turn allows the Incident management page to display the notables.

View solution in original post

Highlighted

Re: Splunk Enterprise Security 6.X - Notables not showing in Incident Management

SplunkTrust
SplunkTrust

tricky one 😉

0 Karma