Used a search from the Splunk Risk Framework page:
| makeresults | eval risk_object="mysystem"
| sendalert risk param._risk_score="100" param._risk_object_type="system"
I am not seeing the risk scores modified. the alert_actions.conf looks correct and have tried different objects with no luck. We have notables with risk modification running and those are working. Just not from the search pipeline.
I was able to work this out. the
| sendalert risk works from the search but not as a correlation search.
|collect index="risk" works from the correlation search and is the new guidance over sendalert from Splunk PS.
You need to include the
param._risk_object_field and specify which field in your search contains the object you want to modify.
| makeresults | eval risk_object="email@example.com" | sendalert risk param._risk_score="100" param._risk_object_field="risk_object" param._risk_object_type="user"
The example in the developer docs could perhaps be clearer. The first half of the example search is creating a dummy risk object called "mysystem". The second half is what you would use in your own environment, with the first half of the search being something specific that narrows down the search results to the object that you want to adjust the risk score for. Is that what you're doing already?