Solved: Re: How to use multiple risk object fields on ES R...

alonsocaio · ‎10-29-2019

When creating or editing a correlation search in Enterprise Security, Is there any way to use multiple fields on the Risk Analysis response action?

As an example, I have a correlation search which I want to increase risk to both src and dest. I tried to separate this two fields using comma, but it does not seen to work.

starcher · ‎10-29-2019

The UI does not support that.
You can review the docs on how to edit risk on another object by also doing it in your SPL search. Look at the section calling the sendalert command.

https://docs.splunk.com/Documentation/ES/5.3.1/User/RiskScoring

View solution in original post

starcher · ‎10-29-2019

The UI does not support that.
You can review the docs on how to edit risk on another object by also doing it in your SPL search. Look at the section calling the sendalert command.

https://docs.splunk.com/Documentation/ES/5.3.1/User/RiskScoring

alonsocaio · ‎10-29-2019

Thanks, I think this will help me.

How to use multiple risk object fields on ES Risk Analysis response action?

Archived Metrics Now Available for APAC and EMEA realms

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!