Add a risk message and a risk score to a notable
Ram adds a risk message and a risk score to the notable event that represents a threat by creating an adaptive response action. Adaptive response actions can be used to gather more information, take an action in another system, send information to another system, modify a risk score, and so on. Adding a custom risk message helps Ram to build detections based on specific information, such as risk scores, instead of merely relying on the Risk Analysis data model schema.
- From a risk notable event, Ram selects the arrow to expand the Actions column and clicks Run Adaptive Response Actions.
- Ram clicks Add New Response Action and selects the Risk Analysis adaptive response action from the dropdown list to create risk modifier events in the risk index.
- Ram types a risk message,
Possible Bypass of User Account Controls.
- Ram also adds a risk modifier by populating the following fields:
- Risk Score
- Risk Object Field
- Risk Object Type
- Ram clicks Run to run the adaptive risk action on the notable.
Classify risk objects based on annotations
Adjust risk scores for specific objects
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2