I'm using RBA and am having issues with duplicate notables for the same thing. For example, I'll get a notable for both a host name and an IP or I'll get one or a userID and an email.
How does assets and identities work with RBA and the Risk Index?
I'm going to talk to myself,
What is the mechanism that normalizes risk_objects in the risk index/data model?
https://docs.splunk.com/Documentation/ES/7.0.2/Admin/Manageassetsandidentities
is there supposed to be an alias? I heard rumors of a risk_object_asset field, but I don't know how to create it. should I just coalesce(hostname,ip,email,userid)?