Add a risk message and a risk score to a notable
Ram adds a risk message and a risk score to the notable event that represents a threat by creating an adaptive response action. Adaptive response actions can be used to gather more information, take an action in another system, send information to another system, modify a risk score, and so on. Adding a custom risk message helps Ram to build detections based on specific information, such as risk scores, instead of merely relying on the Risk Analysis data model schema.
- From a risk notable event, Ram selects the arrow to expand the Actions column and clicks Run Adaptive Response Actions.
- Ram clicks Add New Response Action and selects the Risk Analysis adaptive response action from the dropdown list to create risk modifier events in the risk index.
- Ram types a risk message,
Possible Bypass of User Account Controls
. - Ram also adds a risk modifier by populating the following fields:
- Risk Score
- Risk Object Field
- Risk Object Type
- Ram clicks Run to run the adaptive risk action on the notable.
Classify risk objects based on annotations | Adjust risk scores for specific objects |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.0
Feedback submitted, thanks!