After you have verified the results of a detection, you can turn on the detection using the correlation search editor in the Content Management page in Splunk Enterprise Security.

Follow these steps to turn on the detection:

• Use the correlation search editor to edit the search name, the app context settings, the description, and the Splunk SPL query.
• Use the Time range section in the correlation search editor to schedule the detection. For more information, see Schedule correlation searches in Splunk Enterprise Security.
  All ESCU detection searches include the following configurations:

  Timestamp	Event time
  earliest	-70m@m
  latest	-10m@m
  Cron schedule	0 * * * *
  Scheduling	Continuous
  Schedule window	Auto
  Schedule priority	Default

• Configure the adaptive response actions that are triggered when the detection generates an alert. For example, sending email notifications, creating notables, or creating risk alerts.
• Risk alert action
• *Notable alert actions
• Annotations Relevant context to enrich your risk notables within Splunk Enterprise Security such as a specific cybersecurity framework (MITRE ATT&CK, CIS 20, or NIST Controls). You may also add your organization specific annotations in the Unmanaged Annotations section to enrich your risk notables.