Why not getting Notables?

timsheets13 · ‎04-15-2022

I'm new to ES. I have taken the ES Admin course so I probably shouldn't have to ask for help but I'm pulling my hair out.

I have a linux host running sshd, no firewall. This host has the universal forwarder sending events to the index cluster.

I have another linux host running a brute force attack against it.

Search in Splunk clearly shows the failed attempts, thousands of them.

In ES, I have enabled the "Brute Force Access Behavior Detected" correlation search, and added a Adaptive Response Action to create notable.

However, even though there are thousands of matching events, I never get a notable created.

SA_AccessProtection app is installed.

Any ideas of how to troubleshoot this, or what might be wrong greatly appreciated.

tscroggins · ‎04-16-2022

Does the "notable" index exist?

timsheets13 · ‎04-18-2022

Yes, once I installed the TA_ForIndexers the indexes where all created.

I can create manual notables no problems. And if I create an alert in Splunk and make the alert action to create a notable, that works.

However, attempting to create a notable based on a correlative search in ES is not working.

Are you a member of the Splunk Community?