I'm trying to dynamically add risk modifiers with sendalert for Enterprise Security. The ad-hoc search works and adds risk modifier event, but the saved search fails with the below error. I raised dispatch.ttl by a large amount for testing.
| from datamodel:Intrusion_Detection
[| inputlookup internal_ip | rename ip as src]