Solved: How to use multiple risk object fields on ES Risk ...

alonsocaio · ‎10-29-2019

When creating or editing a correlation search in Enterprise Security, Is there any way to use multiple fields on the Risk Analysis response action?

As an example, I have a correlation search which I want to increase risk to both src and dest. I tried to separate this two fields using comma, but it does not seen to work.

starcher · ‎10-29-2019

The UI does not support that.
You can review the docs on how to edit risk on another object by also doing it in your SPL search. Look at the section calling the sendalert command.

https://docs.splunk.com/Documentation/ES/5.3.1/User/RiskScoring

View solution in original post

starcher · ‎10-29-2019

The UI does not support that.
You can review the docs on how to edit risk on another object by also doing it in your SPL search. Look at the section calling the sendalert command.

https://docs.splunk.com/Documentation/ES/5.3.1/User/RiskScoring

alonsocaio · ‎10-29-2019

Thanks, I think this will help me.

How to use multiple risk object fields on ES Risk Analysis response action?

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

New Dates, New City: Save the Date for .conf25!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud