Enable notables for correlation searches
When you upgrade to Enterprise Security 6.4.x or higher, notable actions for some correlation searches may be disabled. If you want these correlation searches to generate notables, you must re-enable the notable actions for the correlation searches.
Use the following list to identify the correlation searches that may be disabled:
- Access - Account Deleted - Rule
- Access - Brute Force Access Behavior Detected - Rule
- Access - Cleartext Password At Rest - Rule
- Access - Default Account Usage - Rule
- Access - Default Accounts At Rest - Rule
- Audit - Anomalous Audit Trail Activity Detected - Rule
- Endpoint - Should Timesync Host Not Syncing - Rule
- Endpoint - High Number of Hosts Not Updating Malware Signatures - Rule
- Network - Substantial Increase in an Event - Rule
- Network - Substantial Increase in Port Activity (By Destination) - Rule
- Asset - Asset Ownership Unspecified - Rule
- Identity - Activity from Expired User Identity – Rule
- From the Enterprise Security menu, select Configure > Content > Content Management. This displays the list of knowledge objects and correlation searches.
- Click on the correlation search for which you want to re-enable the notables.
This opens the correlation search editor.
- Scroll down to Adaptive Response Actions and click on Add New Response Action.
- From the list of adaptive response actions, select Notable.
- Scroll to Recommended Actions and select the notable actions that you want to enable for the correlation search from the list.
- Click Save.
In releases 6.4.0 and higher, the
[Audit - Notable Default Modify for Correlation Searches] search is a default risk based correlation search that creates risk events instead of notable events. If you run this risk based correlation search as a search that generates notables, you might receive health check warnings and the search may run in an infinite loop. To prevent this, disable the
[Audit - Notable Default Modify for Correlation Searches] search on the Splunk Enterprise Security UI.
Upgrade correlation searches in Splunk Enterprise Security
Use default risk incident rules in Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2