Ever tried to assign a SplunkES Notable via Splunk SOAR to have it fail? So you also use centralized authentication such as Okta with your Splunk deployment? Here is what is happening.
SplunkES uses the list of users (cached from SSO and local) as seen in the Settings-Users to build the pull down for ES Notable assignment. This list also matters when assigning notables via the UI such as using Splunk SOAR.
If your analyst has not accessed the SplunkES server at least once they won't show in the SSO cached users.
The search that generates this list is `Threat - Notable Owners - Lookup Gen`
So either make sure any analyst Splunk SOAR might assign a notable to logs into SplunkES at least once. OR make yourself a static lookup table of names and shim it into `Threat - Notable Owners - Lookup Gen`
Just remember the lookup will need two columns; owner,realname. A modified search might look like the following.