In Incident Review, one can create a filter and save it as a default. Where does it store that configuration so I can push it across multiple ES instances?
See the answer to your other question here: https://community.splunk.com/t5/Splunk-Enterprise-Security/Where-does-the-incident-review-saved-filt...