Splunk Enterprise Security

Lookup: 'PrivilegedRiskScores' is missing


With Security Essentials, I get an error:

[Indexer] Streamed search execute failed because: Error in 'lookup' command: Lookups: The lookup table 'PrivilegedRiskScores' does not exist or is not available.

Must have a risk index Error

This search presumes the presence of Splunk Enteprise Security to provide the Risk Framework. Reach out to your Splunk team to find out more about Splunk ES, or adapt this search for your own list of risk events.

There is, indeed, index="risk"
And the Risk Analysis Datamodel exists.

However, there is no defined Automatic Lookup with "Privilege"

0 Karma
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...