There's some info about troubleshooting notables...  https://docs.splunk.com/Documentation/ES/6.6.0/Admin/Troubleshootnotables Let me know if it turns out to be something else.  ... View more

It sounds like you could use sequence templates:  https://docs.splunk.com/Documentation/ES/6.6.0/Admin/Sequencecorrelationsearches Let me know if that helps.  ... View more

Sounds like you could use entity zones:  https://docs.splunk.com/Documentation/ES/6.6.0/Admin/Entityzones (the example is asset, but it's also for identity) Or change the key to a different field:  https://docs.splunk.com/Documentation/ES/6.6.0/Admin/Identitysettings#Add_or_edit_an_identity_field Let me know if that helps.  ... View more

When you're in the Enterprise Security (ES) app, Configure is located in the ES menu bar as follows (I've circled it in orange):  ... View more

In Enterprise Security, you can change the timing of the correlation searches in Content Management:  https://docs.splunk.com/Documentation/ES/6.6.0/Admin/Configurecorrelationsearches#Change_correlation_search_scheduling  There's also a filter by App, so that you can view only the searches related to the app you're interested in.  Let me know if that helps. ... View more

Sounds like you could use the Incident Review Audit Dashboard: https://docs.splunk.com/Documentation/ES/6.6.0/User/Audit#Incident_Review_Audit or the Investigation Overview Dashboard: https://docs.splunk.com/Documentation/ES/6.6.0/User/Audit#Investigation_Overview Let me know if that helps.     ... View more

For the ES portion of things, also consider this: https://docs.splunk.com/Documentation/ES/6.6.0/Install/InstallEnterpriseSecuritySHC#Back_up_and_restore_Splunk_Enterprise_Security_in_a_search_head_cluster_environment  Let me know if that helps.  ... View more

I don't think it would be a clickable link. It would probably be a copy/paste link. ... View more

The available response actions are the ones in the dropdown list for "insert adaptive response action." For example if you want the next step to be ping a host, you can use text and the link to the action in that format mentioned:  Ping a host to determine if it is active on the network. If the host is active, increase the risk score by 100, otherwise, increase the risk score by 50.  [[action|ping]] https://docs.splunk.com/Documentation/ES/6.6.0/Tutorials/ResponseActionsCorrelationSearch#Part_5:_Choose_available_adaptive_response_actions_for_the_correlation_search   Let me know if that helps.  ... View more

Not specific to an AWS environment, but some things to think about for ES: https://docs.splunk.com/Documentation/ES/6.5.1/Install/InstallEnterpriseSecuritySHC#Back_up_and_restore_Splunk_Enterprise_Security_in_a_search_head_cluster_environment https://docs.splunk.com/Documentation/ES/6.5.1/Install/InstallEnterpriseSecuritySHC#Restore_incident_review_history_from_internal_audit_logs   Let me know if that helps.  ... View more

Yes, with correlation searches that use the Risk data model. Also, assuming that you want to use security framework annotations: https://docs.splunk.com/Documentation/ES/6.5.1/Admin/Configurecorrelationsearches#Use_security_framework_annotations_in_correlation_searches  make sure to check out step 3 & 4... in this release, the Notable and the Risk Analysis adaptive responses work a little differently:  3. (Conditional) If you are using the adaptive response action of Notable because you want see annotations as field labels in Incident Review, and if you are editing a correlation search that does not use the Risk data model, then you need to append an eval statement for the annotations.mitre_attack field to end of the correlation search, such as: | from datamodel:"Identity_Management"."Expired_Identity_Activity" | stats max("_time") as "lastTime",latest("_raw") as "orig_raw",count by "expired_user" | rename "expired_user" as "user" | eval annotations.mitre_attack="T1027" 4. (Conditional) If you are using the adaptive response action of Risk Analysis because you want see annotations as field labels in the Risk Analysis Dashboard, the annotations show up automatically. For more information about creating risk factors to adjust risk scores for risk objects, see Create risk factors in Splunk Enterprise Security. Let me know if that helps.  ... View more

Is it in a search head cluster environment?  https://docs.splunk.com/Documentation/ES/6.5.1/Install/InstallEnterpriseSecuritySHC#Back_up_and_restore_Splunk_Enterprise_Security_in_a_search_head_cluster_environment https://docs.splunk.com/Documentation/ES/6.5.1/Install/InstallEnterpriseSecuritySHC#Restore_incident_review_history_from_internal_audit_logs    Also though, backing up theKV store is part of Enterprise:  https://docs.splunk.com/Documentation/Splunk/8.1.3/Admin/BackupKVstore  but should be done prior to upgrading ES: https://docs.splunk.com/Documentation/ES/6.5.1/Install/Upgradetonewerversion  ... View more

Some new features come along in a later release that could help. But they're not available yet in 6.0:   You can put the duplicates in different entity zones: https://docs.splunk.com/Documentation/ES/6.3.0/Admin/Globalsettings#Enable_entity_zones_for_Assets_o... You can change the key to a different field for the merge: https://docs.splunk.com/Documentation/ES/6.3.0/Admin/Assetsettings#Add_or_edit_an_asset_field  ... View more

Hi! How old is the ES version? I'm going to say at least 6.0 because that's when merge behavior changed. In versions of ES earlier than 6.0, there was no context for how to resolve the overlapping key field values. The first host that matched in the collection was the only one you would see in your search results. But as of 6.0, they merge instead. Disable merge was introduced in 6.2.0.  But I only know of this doc section to avoid merging prior to 6.2.0 (using a 6.1.0 doc example... starting below the tables that happen to mention 6.2 for disabling it):  https://docs.splunk.com/Documentation/ES/6.1.0/Admin/Manageassetsandidentititiesuponupgrade#Avoid_merged_assets_and_identities_data  Let me know if that helps.   ... View more

Let me know if this helps: https://docs.splunk.com/Documentation/ES/6.4.1/User/Domaindashboards ... View more

There are A LOT of things you can do with it. But for the very most common things, I would say look at the topics & objectives for ES in the Splunk Training & Certification course descriptions:  https://www.splunk.com/en_us/training/courses/using-splunk-enterprise-security.html  https://www.splunk.com/en_us/training/courses/administering-splunk-enterprise-security.html  ... View more

Which version of ES are you using? It sounds like you could add a custom field and configure it as a tag:  https://docs.splunk.com/Documentation/ES/6.4.1/Admin/Assetsettings#Add_or_edit_an_asset_field  Let me know if that helps.  ... View more

This isn't exactly the answer to the question that you've asked, but if you're using Enterprise Security, it sounds like you could possibly use entity zones to help specify your different domains:  https://docs.splunk.com/Documentation/ES/6.4.1/Admin/Entityzones Let me know if that helps.  ... View more

Added this advice to https://docs.splunk.com/Documentation/ES/6.4.1/Admin/Troubleshootnotables 🙂  ... View more

Does this help?  https://docs.splunk.com/Documentation/ES/6.4.1/Admin/Troubleshootnotables ... View more