Update threat_object_prevalence.md

better clarity of whats happening
splunk · Sep 1, 2023 · f6e1d44 · f6e1d44
1 parent 32a01e4
commit f6e1d44
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/docs/searches/threat_object_prevalence.md b/docs/searches/threat_object_prevalence.md
@@ -4,10 +4,10 @@
 
  ## Create a Saved Search
 
- You'll have to decide how often you want this information updated, but utilizing `tstats` against the Risk Index means this should be pretty snappy and could run pretty frequently. Create a new saved search with this logic:
+ You'll have to decide how often you want this information updated, but utilizing `tstats` against the Risk Index means this should be pretty snappy and could run pretty frequently over a long timeframe. Create a new saved search with this logic:
 
 ```shell linenums="1"
-| tstats summariesonly=t count earliest(_time) as first_time latest(_time) as last_time from datamodel=Risk.All_Risk by All_Risk.threat_object
+| tstats summariesonly=t count dc(All_risk.risk_object) as dc_objects earliest(_time) as first_time latest(_time) as last_time from datamodel=Risk.All_Risk by All_Risk.threat_object
 | rename All_Risk.threat_object as threat_object
 | convert ctime(first_time) as first_time | convert ctime(last_time) as last_time
 | outputlookup threat_object_count.csv
@@ -17,7 +17,7 @@ You might want to include more details here, like lists of searches that fired t
 
 ## Incorporating into Risk Notables
 
-Because of potential overlaps with multi-value fields, we might need to change our initial `tstats` logic to keep threat objects separate for a bit. I will use the base logic for the [limit score stacking](https://github.com/splunk/rba/blob/main/docs/searches/limit_score_stacking.md) Risk Incident Rule:
+Because of potential overlaps in multi-value fields for threat object, we need to change our initial `tstats` logic to keep them separate until after we enrich. I will use the base logic for the [limit score stacking](https://github.com/splunk/rba/blob/main/docs/searches/limit_score_stacking.md) Risk Incident Rule with some modifications:
 
 ```shell linenums="1"
 | tstats `summariesonly`
@@ -44,6 +44,6 @@ from datamodel=Risk.All_Risk by All_Risk.risk_object,All_Risk.risk_object_type,
 | where capped_risk_score > 100
 ```
 
-I took out the `values()` piece for threat_object, and add it to the `BY` clause so we keep things separate while we enrich with our lookup. Then I utilize that information to adjust the risk score of events which happen a lot, and especially when observed on multiple machines.
+We have to keep in mind order of operations to ensure our logic continues working as intended. I took out the `values()` piece for threat_object, and add it to the `BY` clause so we keep things separate while we enrich with our lookup. Then I utilize that information to adjust the risk score of events which happen a lot, especially when observed on multiple machines. Finally I wrapped it back up with `stats` to utilize our score stacking logic again, now informed by our threat object prevalence adjustments.
 
 <<potentially an image here to show the adjusted scores after threat object changed them?>>