Splunk Enterprise Security

SplunkES plus SOAR: Analyst List, Notable Assignment and Centralized Authentication

starcher
Influencer

Ever tried to assign a SplunkES Notable via Splunk SOAR to have it fail? So you also use centralized authentication such as Okta with your Splunk deployment? Here is what is happening.

SplunkES uses the list of users (cached from SSO and local) as seen in the Settings-Users to build the pull down for ES Notable assignment. This list also matters when assigning notables via the UI such as using Splunk SOAR.

If your analyst has not accessed the SplunkES server at least once they won't show in the SSO cached users.

The search that generates this list is `Threat - Notable Owners - Lookup Gen`

So either make sure any analyst Splunk SOAR might assign a notable to logs into SplunkES at least once. OR make yourself a static lookup table of names and shim it into `Threat - Notable Owners - Lookup Gen`

Just remember the lookup will need two columns; owner,realname.   A modified search might look like the following.

| rest splunk_server=local count=0 /services/authentication/users 
| search capabilities="can_own_notable_events" 
| rename title as owner 
| append 
    [| makeresults 
    | eval owner="unassigned" ] 
| eval _key=owner 
| eval realname=if(isnull(realname) or realname="", null(), realname) 
| table _key owner realname 
| inputlookup append=true static_es_analysts_list 
| dedup owner
| eval _key=owner
| outputlookup notable_owners_lookup
| stats count
Labels (2)
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Introducing ITSI 5.0: Unified Visibility and Actionable Insights

Introducing ITSI 5.0: Unified Visibility and Actionable Insights Tuesday, July 21, 2026  |  10:00AM PT / ...

Inside Splunk Agent Observability: Understanding Agent Behavior, Tokens & Costs

Inside Splunk Agent Observability:Understanding Agent Behavior, Tokens & Costs Thursday, August 06, ...

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...