Troubleshooting risk based alerting in Splunk Enterprise Security
Following are some issues you might face while working with risk based alerting:
Upgrade issues with risk factors
Issue
Upgrading Splunk Enterprise Security might not update the Risk data model Risk.json file and display the following error message: Error in "DataModelEvaluator". JSON for datamodel risk is invalid.
Cause
Edits to the risk factors using the Risk Factor editor modifies the risk_factors.conf configuration file and creates a local copy of the Risk data model on each of the Enterprise Security search head cluster members when the deployer pushes the updated risk data model. The local copy of the Risk data model /opt/splunk/etc/apps/SA-ThreatIntelligence/local/data/models/Risk.json might be different from the default copy of the Risk data model /opt/splunk/etc/apps/SA-ThreatIntelligence/default/data/models/Risk.json.
Solution
On-prem:
Delete the local copy of the Risk.json file. Restart the search head cluster.
Ensure that all risk factors, if customized, are available in the Risk.json file.
On Cloud:
Contact Splunk Support and file a ticket on the Splunk Support Portal. See Support and Services.
Splunk Support helps to remove the local copy from all the members of the search head cluster. Splunk Support copies the default file /opt/splunk/etc/apps/SA-ThreatIntelligence/default/data/models/Risk.json from an updated Enterprise Security instance and overwrites the local copy /opt/splunk/etc/apps/SA-ThreatIntelligence/local/data/models/Risk.json.
This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1
Download manual
Feedback submitted, thanks!