dashboard
WEEK_3 · DAY_18 · 1 HOUR
Notable Events & Incident Review
The analyst's daily workspace
Learning Objectives
- ›Triage a Notable Event end-to-end
- ›Use the Adaptive Response menu
- ›Add events to an Investigation
- ›Manage status, owner, urgency, comments
Module 1 — What is a Notable Event?
A high-fidelity alert produced by a Correlation Search and stored in the notable index.
Has urgency (priority × severity), status, owner, drill-down search, ATT&CK technique.
Module 2 — Incident Review Workflow
Filter by urgency / status / owner / time.
Click the title for full event details and contributing search.
Use Actions menu → run Adaptive Response (block IP, disable user, run SOAR playbook).
Add note · change status · assign owner · escalate.
Module 3 — Urgency
Computed from rule priority × asset criticality × identity priority.
Asset & Identity frameworks (Day 21) drive this calculation.
Module 4 — Adaptive Response Actions
Risk modifier · Notable creation · Email · Webhook · Run SOAR playbook · Create ServiceNow ticket · Block at firewall.
Lab 18 — Triage 5 Notables
- Open Splunk ES → Incident Review.
- Open each of the 5 pre-loaded Notable Events.
- For each: read the contributing SPL, write a triage note, decide escalate/close.
- Connect them — these 5 tell ONE attack story.
Key Takeaways
- ✓Incident Review is the SOC's pulse
- ✓Urgency = rule × asset × identity
- ✓Adaptive Response is the bridge to action