Hi everyone, I’m seeing a discrepancy with the Risk Modular Alert Action in Splunk ES. When triggering the risk action via sendalert risk, the resulting risk events do not include source_guid and source_event_id. However, when creating a risk event via the UI (e.g., correlation search action configured in the UI, or “Create Risk Event” from a workflow action), those fields are present. I’m trying to determine if this is version/content-related or a bug. Environment Splunk Enterprise: 9.2.4 Splunk Enterprise Security: 8.2.1 Expected behavior Risk events should include: source_guid (a GUID) source_event_id ({GUID}@@{index}@@{GUID_without_dashes}) Actual behavior Via sendalert risk: Risk modifier events are created but missing source_guid / source_event_id. Via UI (configured risk action / “Create Risk Event”): Risk events include both fields as expected. Impact These missing fields lead to downstream issues: finding-based detections (formerly Risk Incident Rules) don’t behave as expected, and resulting items do not appear in the Analyst Queue, even though the risk event exists. UI-created risk events with the same semantics do surface correctly in the Analyst Queue. Questions for the community On your Splunk/ES version, do sendalert risk and UI-created risk events both populate source_guid / source_event_id, or do you see the same discrepancy? Was there a change in recent ES/Content versions affecting sendalert risk specifically? Any known issue/bug? Do you explicitly populate these fields via macro/enrichment for sendalert, or should the action populate them natively? Has Splunk stated any plans to deprecate or remove creating risk events via SPL (e.g., sendalert risk / collectrisk) in favor of UI-driven actions? If so, what’s the recommended replacement and timeline? Thanks in advance for your insights! -- Sky ... View more