I have an app with my alerts. I have risk enabled and it's working however risk isn't showing up in the Edit Correlation Search menu. Is there a setting in a .conf file I am missing? I looked into alert_actions.conf but don't see any other rule with that linking to it. Below is my risk setting for one of my rules:
action.risk = 1 action.risk.param._risk = [{"risk_object_field": "dest", "risk_object_type": "system", "risk_score": 14}] action.risk.param._risk_message = Wsmprovhost.exe spawned a LOLBAS process on $dest$. action.risk.param._risk_score = 0 action.risk.param.verbose = 0
... View more