I'm new to ES. I have taken the ES Admin course so I probably shouldn't have to ask for help but I'm pulling my hair out.
I have a linux host running sshd, no firewall. This host has the universal forwarder sending events to the index cluster.
I have another linux host running a brute force attack against it.
Search in Splunk clearly shows the failed attempts, thousands of them.
In ES, I have enabled the "Brute Force Access Behavior Detected" correlation search, and added a Adaptive Response Action to create notable.
However, even though there are thousands of matching events, I never get a notable created.
SA_AccessProtection app is installed.
Any ideas of how to troubleshoot this, or what might be wrong greatly appreciated.
Does the "notable" index exist?
Yes, once I installed the TA_ForIndexers the indexes where all created.
I can create manual notables no problems. And if I create an alert in Splunk and make the alert action to create a notable, that works.
However, attempting to create a notable based on a correlative search in ES is not working.