Create a notable to investigate in Splunk Mission Control

When viewing the details for any entity in behavioral analytics service, you can create a notable that you can view and investigate in Splunk Mission Control with the default label of UEBA Notable.

Perform the following tasks to create a notable in behavioral analytics service:

1. Navigate to the entity details page for a specific entity. You can do this by clicking on the entity from the Entity page or the User & Entity Analytics dashboard.
2. On the entity details page, click Create Notable.
3. Enter a name in the Notable Name field.
4. Select a label from the drop-down list in the Label field. By default, the UEBA Notable label is used for notables created in behavioral analytics service. You can triage this entity and its anomalies in behavioral analytics service and make a determination that the notable belongs in another category that you already have in Splunk Mission Control. In such cases, select the appropriate label from the drop-down list so that you don't need to find the notable later in Splunk Mission Control and change its label.
5. Click the down arrow to expand the Advanced options. You can enter additional values for the notable such as status, owner, severity, and sensitivity.
6. Click Submit to create the notable.

In Splunk Mission Control, click Investigations from the menu bar to view the list of notables, called the analyst queue. Type UEBA Notable in the search field to filter the notables so that only notables with the default UEBA Notable label are listed.