We've starter lookin into Risk-Based Alerting (RBA) in Splunk ES, and noticed that the logic for the risk notables is in fact case sensitive for risk objects (users and systems, mostly). This is a bit counterintuitive, as the Asset & Indentity (A&I) settings clearly says that it is are not case sensitive, but we figured out that RBA doesn't use A&I at all, and instead just used the fieldvalue for the user/system directly, without having any logic to merge users/systems under different aliases.

I've made a small change to the RBA alert "Risk Threshold Exceeded For Object Over 24 Hour Period" to at least make it case insensitve, in case anyone else need a fix for this problem as well.

Just change the two first lines for the search from this:

| tstats `summariesonly` sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count,values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk by All_Risk.risk_object,All_Risk.risk_object_type
| `drop_dm_object_name("All_Risk")`

To this:

| tstats `summariesonly` sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, values(All_Risk.tag) as tag, values(source) as source from datamodel=Risk.All_Risk by All_Risk.risk_object,All_Risk.risk_object_type 
| `drop_dm_object_name("All_Risk")`
| eval risk_object=lower(risk_object)
| stats sum(risk_score) as risk_score, sum(risk_event_count) as risk_event_count, values(annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(tag) as tag, values(source) as source, dc(source) as source_count by risk_object, risk_object_type