Hey Dio, So do intermediate findings not get the enrichment from risk and other automatic lookups in the same way a "finding" does? Or... does it feel as if all event-based searches should have a "finding" result to get that enrichment? Or should I expand the SPL for the event-based search to included the risk datamodel? ... View more

I have the same question. I have a handful of event-based findings that I do not see populated in Mission Control. Based upon Splunk Docs, you either need to enable "Intermediate Finding" or "Finding" for the output. I also leverage a SOAR platform but notice that none of my event based findings get enriched with risk and other automatic lookups/metadata that gets added AFTER an event-based finding has a result.  From what I see, Intermediate Findings also don't get written to index=notable. Does anyone have insight on how I can see intermediate findings and also find the data in a Splunk index? ... View more