I assume you're talking about Enterprise Security. There are a couple of starting points. The `notable` macro will give you notable events from the index. `notable` Also if you look in the Security Posture dashboard, you will see the 'Top Notable Events' panel, which has a search you can expand to see where the data is coming from. Note that the notable macro will take data from the notable index, whereas the es_notable_events takes data from the es_notable_events lookup file. You can always see what a search containing a macro expands to by pressing Ctrl-Shift-E or Cmd-Shift-E (Mac) and it shows what the full expanded search looks like with no macros. Hope this gets you started.
... View more