Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is risk event timeline not working and giving an Error: "Risk event has missing or invalid fields"?

stewlarsen
New Member
‎06-15-2022 07:35 PM

I am trying to pull up the Risk Event Timeline for a Risk Notable in my Incident Review Dashboard.   Every time I click the link, it gives me an error saying "Risk event has missing or invalid fields".  

I know that Risk Event Timeline only works for the risk_object field on Risk Notables.

  1. We have noticed a couple of issues that were related to Search-Driven lookups being disabled.  Might there be a lookup table that is referenced here that might be in the same boat?
  2. Is there somewhere that defines what fields are required in the Risk Notable?
  3. Any way to troubleshoot what is missing or incorrect?
Tags (1)
0 Karma
Reply

gabriel_vasseur
Contributor
‎02-09-2023 03:18 AM

For me, the risk event timeline works for the ES built-in RIRs such as "Risk - 24 Hour Risk Threshold Exceeded - Rule". However we don't use them and we have our own RIRs, for which we had the same problem as the OP.

First step is to make sure our RIRs are mentioned in the "risk_notables" event type, otherwise the option to open the risk event timeline isn't there.

Then, looking at "Risk - 24 Hour Risk Threshold Exceeded - Rule" it produces the following fields:
risk_object
risk_object_type
risk_score
risk_threshold
risk_event_count
mitre_tactic_id_count
mitre_technique_id_count
source (multivalue fields with the name of RR correlations)
source_count
I can't confirm which ones are indeed required, but adding these to my RIR got rid of the error message.

The next hurdle was "Risk event search did not return any results. Please verify notable drilldown search."

This was solved by copying the drilldown search from "Risk - 24 Hour Risk Threshold Exceeded - Rule" to the drilldown search of my RIR.

Now the risk event timeline works for us 🙂 Of course, it's too limited to be useful but it's nice to be aligned with what ES is doing in case it one day becomes useful.

Tags (1)
0 Karma
Reply

gabriel_vasseur
Contributor
‎02-07-2023 08:07 AM

We have the same problem.  Here is a screen shot:risk timeline.PNG

I would love for this question from the original poster to be answered:


"Is there somewhere that defines what fields are required in the Risk Notable?"

Reply

lakshman239
Influencer
‎05-16-2023 05:54 AM

@gabriel_vasseur @stewlarsen @marysan  - Not sure if you have managed to resolve this.

I had encountered the same issue and i had to change the drill-down to ensure calculated_risk_score is available in addition to all risk_* fields - https://docs.splunk.com/Documentation/ES/7.1.1/RBA/TopologyVisualization 

If this helps, pls mark this accepted. thx

0 Karma
Reply

gabriel_vasseur
Contributor
‎05-17-2023 12:30 AM

I did resolve this issue for us, as per my other post on this page.

Weirdly it didn't involved the calculated_risk_score field as we just don't have that field at all. Weird!

0 Karma
Reply

marysan
Communicator
‎06-26-2022 11:47 PM

Hi

please put a picture or screenshot 

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...