Configuration Guide
The Risk Manager-App's main purpose is to extend Splunk's core functionality with risk scoring.
Risk Manager is built on top of Splunk's core alerting functionality, utilizing its main functionality. Risk Manager will analyze the search results of an alert and look for risk object, defined by the user. If a risk object has been found, the risk_object's name will be stored together with a risk score inside a KV store collection.
To define, which risk event should apply risk object scoring within Risk Manager , select the item Risk Settings under the Settings menu.
The name of the alert, that searches for risk events
The object under risk
A numerical value that represents a relative risk. Can be positive/negative
Data that has contributed/caused the risk event
For alerts to be managed by Risk Manager a few per-requisites have to be fulfilled.
The scheduled alert has to run a scripted alert script risk_handler.py. Enable "Run a script" under the Splunk Saved Searches configuration page, and add the script name into the text field.
The alert has to be run by a user with the risk_manager role. This is needed for the risk_handler.py script to be able to ingest alert metadata into the index risks.
Note! If a alert returns more than one risk_object (e.g. rows) select per-result alerting, otherwise only the first risk object will be scored.
By default, the table shows all alerts that are managed by Risk Manager (indicated by the _key column). Depending on the App context drop-down selection, alerts that are readable by the logged in user's role, are displayed. Unmanaged alerts do not yet have a _key set.
To configure an unmanaged alert to be managed, the App context where the alert resides in needs to be selected. All alerts in the app context will be displayed in the table. If there are alerts that, are superfluous, they can be deleted by right-clicking on the table and selecting Remove row.
To store the new incident configuration, Save settings has to be selected. Before or after saving, further customization of the incident can be applied.
Enter a field name, containing the risk object
Enter a numerical value that will be added to the risk object's score
Select, if data that has contributed/caused the risk event, should be stored in the KV store