Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is risk event timeline not working and giving an Error: "Risk event has missing or invalid fields"?

stewlarsen
New Member
‎06-15-2022 07:35 PM

I am trying to pull up the Risk Event Timeline for a Risk Notable in my Incident Review Dashboard.   Every time I click the link, it gives me an error saying "Risk event has missing or invalid fields".  

I know that Risk Event Timeline only works for the risk_object field on Risk Notables.

  1. We have noticed a couple of issues that were related to Search-Driven lookups being disabled.  Might there be a lookup table that is referenced here that might be in the same boat?
  2. Is there somewhere that defines what fields are required in the Risk Notable?
  3. Any way to troubleshoot what is missing or incorrect?
Tags (1)
0 Karma
Reply

gabriel_vasseur
Contributor
‎02-09-2023 03:18 AM

For me, the risk event timeline works for the ES built-in RIRs such as "Risk - 24 Hour Risk Threshold Exceeded - Rule". However we don't use them and we have our own RIRs, for which we had the same problem as the OP.

First step is to make sure our RIRs are mentioned in the "risk_notables" event type, otherwise the option to open the risk event timeline isn't there.

Then, looking at "Risk - 24 Hour Risk Threshold Exceeded - Rule" it produces the following fields:
risk_object
risk_object_type
risk_score
risk_threshold
risk_event_count
mitre_tactic_id_count
mitre_technique_id_count
source (multivalue fields with the name of RR correlations)
source_count
I can't confirm which ones are indeed required, but adding these to my RIR got rid of the error message.

The next hurdle was "Risk event search did not return any results. Please verify notable drilldown search."

This was solved by copying the drilldown search from "Risk - 24 Hour Risk Threshold Exceeded - Rule" to the drilldown search of my RIR.

Now the risk event timeline works for us 🙂 Of course, it's too limited to be useful but it's nice to be aligned with what ES is doing in case it one day becomes useful.

Tags (1)
0 Karma
Reply

gabriel_vasseur
Contributor
‎02-07-2023 08:07 AM

We have the same problem.  Here is a screen shot:risk timeline.PNG

I would love for this question from the original poster to be answered:


"Is there somewhere that defines what fields are required in the Risk Notable?"

Reply

lakshman239
Influencer
‎05-16-2023 05:54 AM

@gabriel_vasseur @stewlarsen @marysan  - Not sure if you have managed to resolve this.

I had encountered the same issue and i had to change the drill-down to ensure calculated_risk_score is available in addition to all risk_* fields - https://docs.splunk.com/Documentation/ES/7.1.1/RBA/TopologyVisualization 

If this helps, pls mark this accepted. thx

0 Karma
Reply

gabriel_vasseur
Contributor
‎05-17-2023 12:30 AM

I did resolve this issue for us, as per my other post on this page.

Weirdly it didn't involved the calculated_risk_score field as we just don't have that field at all. Weird!

0 Karma
Reply

marysan
Communicator
‎06-26-2022 11:47 PM

Hi

please put a picture or screenshot 

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...