Splunk Enterprise Security

Why are risk objects not being normalized against assets and identities?

chromefinch
Loves-to-Learn Lots

I'm using RBA and am having issues with duplicate notables for the same thing. For example, I'll get a notable for both a host name and an IP or I'll get one or a userID and an email. 

How does assets and identities work with RBA and the Risk Index? 

0 Karma

chromefinch
Loves-to-Learn Lots

I'm going to talk to myself, 

What is the mechanism that normalizes risk_objects in the risk index/data model? 

https://docs.splunk.com/Documentation/ES/7.0.2/Admin/Manageassetsandidentities

is there supposed to be an alias? I heard rumors of a risk_object_asset field, but I don't know how to create it. should I just coalesce(hostname,ip,email,userid)?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...