Splunk Enterprise Security

Splunk Enterprise Security: risk modifier from search pipeline not working

stuartmcintosh
New Member

Used a search from the Splunk Risk Framework page:
http://dev.splunk.com/view/enterprise-security/SP-CAAAFBD

Search:
| makeresults | eval risk_object="mysystem"
| sendalert risk param._risk_score="100" param._risk_object_type="system"

I am not seeing the risk scores modified. the alert_actions.conf looks correct and have tried different objects with no luck. We have notables with risk modification running and those are working. Just not from the search pipeline.

Any ideas?

0 Karma

stuartmcintosh
New Member

I was able to work this out. the | sendalert risk works from the search but not as a correlation search. |collect index="risk" works from the correlation search and is the new guidance over sendalert from Splunk PS.

0 Karma

woodcock
Esteemed Legend

What is your approach now?

stuartmcintosh
New Member

Thank you, wejust upgraded and this was fixed in the upgrade but it baffled several splunk resources as well. It pays to be on a current version.

0 Karma

kchamplin_splun
Splunk Employee
Splunk Employee

You need to include the param._risk_object_field and specify which field in your search contains the object you want to modify.
ex.
| makeresults | eval risk_object="username@domain.com" | sendalert risk param._risk_score="100" param._risk_object_field="risk_object" param._risk_object_type="user"

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

The example in the developer docs could perhaps be clearer. The first half of the example search is creating a dummy risk object called "mysystem". The second half is what you would use in your own environment, with the first half of the search being something specific that narrows down the search results to the object that you want to adjust the risk score for. Is that what you're doing already?

0 Karma

stuartmcintosh
New Member

Tried both ways 😞 thought this would be a clearer example of the issue than my larger search. Good idea though!

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

Yeah, I figured you had 🙂 Wanted to make sure that wasn't what was happening, at least. This perplexes me. Are you getting an error, or how do you know that it isn't working?

0 Karma

stuartmcintosh
New Member

no errors, i see a stats table when i run the sendalert risk command but no risk modifiers show up in Risk Analysis page or the lookup. It's like it never saves the modification.

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

Hmmmm. I have no more ideas.

0 Karma
Get Updates on the Splunk Community!

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...