Thanks for the response on this.If I choose # 3 Lets say my correlation search to mark the default status of the notable event to "New" and the Default owner to "Unassigned" and under the alert actions use a script that will populate the details of the alert along by taking the csv file that belongs to a given notable events and populate my third part ticket management system to open a ticket and assign it to a security analyst. And once the ticket is been addressed in return tell splunk to mark the corresponding notable status to "Close" and reference to the ticketing system for more details
... View more