Used a search from the Splunk Risk Framework page:
http://dev.splunk.com/view/enterprise-security/SP-CAAAFBD
Search:
| makeresults | eval risk_object="mysystem"
| sendalert risk param._risk_score="100" param._risk_object_type="system"
I am not seeing the risk scores modified. the alert_actions.conf looks correct and have tried different objects with no luck. We have notables with risk modification running and those are working. Just not from the search pipeline.
Any ideas?
↧