In Splunk ES, Correlation Rules Added with Adaptive Response Actions (Notables with specified Domain), when triggered, gets reported in the Top Notable Events in the Security Posture and not in the Incident Review. How to get the triggered events in the Incident Review Page ? Please help.
We have added more rules ES. And, when we add a new rule, we choose the option to create a “notable” under adaptive response actions as well as select an appropriate domain.
The new rules are successfully invoked and notable events are being generated. If we do a search es_notable_events, all notable events created are listed, however the new ones those are added, not getting listed under the any of the selected domains in the Incident Review. Also, if you do an advance search under the Incident Review pane, we could not find the notable those are generated.
We are also unable to assign these new notables to any of our analysts and also, further drill down search from the invoked rules seems to be incomplete.