Why aren't Risk Score, Risk Event and Risk Object ...

syazwani · ‎09-07-2022

Hi peeps,

We were fine tuning the Notable Event, and there were fields that were not showing any values. Those fields are the Risk Score, Risk Event and Risk Object. We have configure the value under the Risk Analysis Tab.

Please assist us on this. Thank you.

roberto_baggio · ‎02-08-2024

Hey so did you find the solution? We stacked with the same issue and seams no one knows how to fix it.

travis_lelle · ‎09-22-2023

Have you found a solution for this? I'm experiencing the same thing, and I made sure that the fields we provided in the Risk Analysis Adaptive response Action is a valid field that is being presented in the correlation search results. In fact, I'm using the same fields as variables in the title of the notable event. But nothing is populating in Incident review for Risk Score, Risk Event, and Risk Object.

hettervik · ‎09-15-2022

Hi. Yes, I see the confusion. The fields you add under the response action "Risk Analysis" are not added the the notable event itself (index=notable), they are added to the risk event (index=risk). These risk events are used for Risk-Based Alerting, among other things.

If you want the "user" and "app" fields to be added to the notable event, just make sure these fields are present in the final output of your correlation search, and you shoud see them in the incident.

Why aren't Risk Score, Risk Event and Risk Object showing in the notable event?

configuration

risk analysis

using Enterprise Security

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!