Hey Benjamin,
I believe this macro is what populates the "Adaptive Responses" area of a Notable event when you expand it in incident review. It should be a fairly fast/narrow search and should only be invoked when you expand a particular notable in incident review.

For reference, here's the macro defintion:

tstats allow_old_summaries=true latest(Modular_Actions.action_status) as action_status from datamodel=Splunk_Audit.Modular_Actions where Modular_Actions.action_name!="unknown" (Modular_Actions.sid=$sid$ Modular_Actions.rid=$rid$) OR (Modular_Actions.orig_sid=$sid$ Modular_Actions.orig_rid=$rid$) by _time,nodename,Modular_Actions.action_name,Modular_Actions.sid,Modular_Actions.rid,Modular_Actions.action_mode,Modular_Actions.user span=1s | `drop_dm_object_name("Modular_Actions")` | eventstats latest(action_status) as action_status by action_name,sid,rid | search nodename="Modular_Actions.Modular_Action_Invocations" | sort 0 -_time | join type=outer action_name [| rest splunk_server=local count=0 /services/alerts/alert_actions | spath input=param._cam path=drilldown_uri output=action_drilldown_uri | rename title as action_name,label as action_label | fields action_name,action_label,action_drilldown_uri] | eval action_label=if(isnotnull(action_label),action_label,action_name),epoch_time=_time | fields _time,epoch_time,action_status,action_name,action_label,action_mode,action_drilldown_uri,sid,rid,user