Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Collection: splunk.es, module: splunk_adaptive_response_risk_analysis_events #74

Open
githubmagu opened this issue Jun 21, 2024 · 0 comments
Open

Collection: splunk.es, module: splunk_adaptive_response_risk_analysis_events #74

githubmagu opened this issue Jun 21, 2024 · 0 comments

Comments

@githubmagu
Copy link

githubmagu commented Jun 21, 2024
edited
Loading

SUMMARY

This functionality would allow to programatically manage risk objects defined within a correlation search. Currently this is not supported at all.

Risk based Alerting information:
https://lantern.splunk.com/Security/UCE/Guided_Insights/Risk-based_alerting/Implementing_risk-based_alerting

ISSUE TYPE
  • Feature Idea
COMPONENT NAME

New module: splunk_adaptive_response_risk_analysis_events

ADDITIONAL INFORMATION

Usage: exactly the same as other modules from this collection but using different fields / data structures

      - name: Add adaptive response risk analysis events config
        splunk.es.splunk_adaptive_response_risk_analysis_events:
          config:
            - correlation_search_name: "{{ correlation_search }}"
              name: "{{ risk_message_title }}"
              description: "{{ correlation_search_description }}"
              risk_modifiers:
                risk_objects:
                  - risk_object_field: value11
                    risk_object_type: value12 
                    risk_object_score: value13
                  - risk_object_field: value21 
                    risk_object_type: value22
                    risk_object_score: value23
                   [...]
                threat_objects:
                  - threat_object_field: value31 
                    threat_object_type: value32
                  - threat object_field: value41
                    threat_object_type: value42
                   [...]
          state: merged

N/A
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@githubmagu