Splunk Enterprise Security

Why aren't Risk Score, Risk Event and Risk Object showing in the notable event?

syazwani
Path Finder

Hi peeps,

We were fine tuning the Notable Event, and there were fields that were not showing any values. Those fields are the Risk Score, Risk Event and Risk Object. We have configure the value under the Risk Analysis Tab. 

WhatsApp Image 2022-09-07 at 15.00.21.jpeg

WhatsApp Image 2022-09-07 at 15.01.06.jpeg

Please assist us on this. Thank you.

0 Karma

hettervi
Builder

Hi. Yes, I see the confusion. The fields you add under the response action "Risk Analysis" are not added the the notable event itself (index=notable), they are added to the risk event (index=risk). These risk events are used for Risk-Based Alerting, among other things.

If you want the "user" and "app" fields to be added to the notable event, just make sure these fields are present in the final output of your correlation search, and you shoud see them in the incident.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...