I am trying to pull up the Risk Event Timeline for a Risk Notable in my Incident Review Dashboard. Every time I click the link, it gives me an error saying "Risk event has missing or invalid fields".
I know that Risk Event Timeline only works for the risk_object field on Risk Notables.
For me, the risk event timeline works for the ES built-in RIRs such as "Risk - 24 Hour Risk Threshold Exceeded - Rule". However we don't use them and we have our own RIRs, for which we had the same problem as the OP.
First step is to make sure our RIRs are mentioned in the "risk_notables" event type, otherwise the option to open the risk event timeline isn't there.
Then, looking at "Risk - 24 Hour Risk Threshold Exceeded - Rule" it produces the following fields:
source (multivalue fields with the name of RR correlations)
I can't confirm which ones are indeed required, but adding these to my RIR got rid of the error message.
The next hurdle was "Risk event search did not return any results. Please verify notable drilldown search."
This was solved by copying the drilldown search from "Risk - 24 Hour Risk Threshold Exceeded - Rule" to the drilldown search of my RIR.
Now the risk event timeline works for us 🙂 Of course, it's too limited to be useful but it's nice to be aligned with what ES is doing in case it one day becomes useful.
We have the same problem. Here is a screen shot:
I would love for this question from the original poster to be answered:
"Is there somewhere that defines what fields are required in the Risk Notable?"
I had encountered the same issue and i had to change the drill-down to ensure calculated_risk_score is available in addition to all risk_* fields - https://docs.splunk.com/Documentation/ES/7.1.1/RBA/TopologyVisualization
If this helps, pls mark this accepted. thx