A Risk Rule generates events on Suspicious Cloud Share Activity and regularly contributes to confirmed incidents from Risk Notables. An analyst realizes the raw logs these events are generated from contain information which helps them determine what might be malicious. What should they ask their engineer for to make their analysis easier?

SPLK-5001 Q604: A Risk Rule generates events on Suspicious Cloud Share Activity and r…

Option B. Add this information to the risk_message is indeed a viable and effective choice, especially in the context of Risk-Based Alerting (RBA) in Splunk. By adding key information to the risk_message, you enhance the context around each risk event, allowing the analyst to quickly view relevant details without needing to drill down into raw logs. This approach can streamline investigations by summarizing essential details directly within the notable events, making the process faster and more efficient for the analyst. In this case, both A and B can be good options, but B might offer more immediate context within the Incident Review, especially if the goal is to have critical information surfaced directly in risk events.