So, I may be misunderstanding how this works but from reading the blogs and documentation about Risk Analysis there are many ways of getting risk data into Splunk but one of the ways that should work out of the box should be enabling a correlation search and giving it a risk score and risk object type.
We've done that and have had several events trigger but the datamodel (and index=risk) remain empty. I also created an ad-hoc risk entry but the statement of there being no data also remains true. This is all leading me to believe I've missed something crucial.
Anyone have any ideas?
This is the documentation I'm referring to:
https://www.splunk.com/blog/2014/08/12/risk-analysis-with-enterprise-security-3-1/
http://docs.splunk.com/Documentation/ES/4.7.1/User/RiskScoring
http://docs.splunk.com/Documentation/ES/4.7.1/User/RiskAnalysis
↧