Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why aren't Risk Score, Risk Event and Risk Object showing in the notable event?

syazwani
Path Finder
‎09-07-2022 12:04 AM

Hi peeps,

We were fine tuning the Notable Event, and there were fields that were not showing any values. Those fields are the Risk Score, Risk Event and Risk Object. We have configure the value under the Risk Analysis Tab. 

WhatsApp Image 2022-09-07 at 15.00.21.jpeg

WhatsApp Image 2022-09-07 at 15.01.06.jpeg

Please assist us on this. Thank you.

0 Karma
Reply

hettervi
Builder
‎09-15-2022 04:14 AM

Hi. Yes, I see the confusion. The fields you add under the response action "Risk Analysis" are not added the the notable event itself (index=notable), they are added to the risk event (index=risk). These risk events are used for Risk-Based Alerting, among other things.

If you want the "user" and "app" fields to be added to the notable event, just make sure these fields are present in the final output of your correlation search, and you shoud see them in the incident.

0 Karma
Reply
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...