Troubleshoot upgrade issues with risk factors

Issue

 Upgrading Splunk Enterprise Security might not update the Risk data model Risk.json file and display the following error message:

Error in "DataModelEvaluator". JSON for datamodel risk is invalid.

Cause

Edits to the risk factors using the Risk Factor Editor modifies the risk_factors.conf configuration file and creates a local copy of the Risk data model on each of the Splunk Enterprise Security search head cluster members when the deployer pushes the updated risk data model. The local copy of the Risk data model in the /opt/splunk/etc/apps/SA-ThreatIntelligence/local/data/models/Risk.json directory might be different from the default copy of the Risk data model in the /opt/splunk/etc/apps/SA-ThreatIntelligence/default/data/models/Risk.json directory.

Solution

Deployment type Steps
Splunk Cloud Platform deployments Contact Splunk Support and file a ticket on the Splunk Support Portal. See Support and Services.

Splunk Support removes the local copy from all members of the search head cluster. Splunk Support copies the /opt/splunk/etc/apps/SA-ThreatIntelligence/default/data/models/Risk.json default file from an updated Splunk Enterprise Security instance and overwrites the local copy with the /opt/splunk/etc/apps/SA-ThreatIntelligence/local/data/models/Risk.json local file.

On-premises deployments
  1. Delete the local copy of the Risk.json file.
  2. Restart the search head cluster.
  3. Ensure that all risk factors, if customized, are available in the Risk.json file.