We are trying to integrate the risk analysis framework in our incident response process.
We have developed a library of correlation searches where the results produce multiple objects upon which we need to assign risk, e.g. src, dest, users. When we and the "| sendalert risk" components to the correlation searches, notable events no longer generate and risk scores are NOT applied. When we run the searches as ad-hoc, the risk scores are properly assigned and the results appear as expected.
Can "| sendalert" not appear in a correlation search? The Risk Analysis Adaptive response action is not sufficient, as we can not dynamically set the risk tolerance, nor set risk against multiple objects with that action.
e.g: | eval risk_score=case(severity=="critical", 20, severity=="high", 15, severity=="medium", 10, severity=="low", 5
... View more