Ever tried to assign a SplunkES Notable via Splunk SOAR to have it fail? So you also use centralized authentication such as Okta with your Splunk deployment? Here is what is happening.
SplunkES uses the list of users (cached from SSO and local) as seen in the Settings-Users to build the pull down for ES Notable assignment. This list also matters when assigning notables via the UI such as using Splunk SOAR.
If your analyst has not accessed the SplunkES server at least once they won't show in the SSO cached users.
The search that generates this list is `Threat - Notable Owners - Lookup Gen`
So either make sure any analyst Splunk SOAR might assign a notable to logs into SplunkES at least once. OR make yourself a static lookup table of names and shim it into `Threat - Notable Owners - Lookup Gen`
Just remember the lookup will need two columns; owner,realname. A modified search might look like the following.
| rest splunk_server=local count=0 /services/authentication/users
| search capabilities="can_own_notable_events"
| rename title as owner
| append
[| makeresults
| eval owner="unassigned" ]
| eval _key=owner
| eval realname=if(isnull(realname) or realname="", null(), realname)
| table _key owner realname
| inputlookup append=true static_es_analysts_list
| dedup owner
| eval _key=owner
| outputlookup notable_owners_lookup
| stats count
