Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security 8.x documentation.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Create risk factors to adjust risk scores in Splunk Enterprise Security

Create risk factors to adjust risk scores for risk objects so that you can effectively isolate threats using Splunk Enterprise Security by mapping out the risk in the environment.

Risk factors are a set of rules or tuning factors on the basis of which risk scores can be calculated for a risk object or entity that might be an asset, identity, or a device. You can select conditions to dynamically adjust risk scores and simplify the threat investigation process by surfacing suspicious behavior.

The "base" risk score is a value based on the correlation search or event. Risk factors assign a "calculated" risk score based on the conditions specified in the metadata for the risk objects, like priority, category, user, asset, and so on. Finally, the "total risk score" is the sum of all calculated risk scores for a risk object within a specific time frame.

Risk factors modify the risk score by increasing or decreasing the score based on field values in the risk index. However, Splunk Enterprise Security calculates the total risk score dynamically using the risk data model instead of relying only on the risk index.

Risk factors are usually based on asset or identity information but might also be configured on fields such as Action, Priority, Category, and so on. You must verify the completeness of your assets and identity data in Splunk Enterprise Security to evaluate the data in your security environment based on individual criticality and prioritize key data elements so that you can configure effective risk factors that detect threats.

Risk factors help to adjust the risk scores without creating new searches. For example, you can simply increase the risk score using the Risk factor Editor by a factor of two on a laptop that belongs to a director instead of an employee instead of creating a new search to flag such risk events.

Using adaptive response actions to create risk objects in correlation searches is not very effective because they are base don a risk score, which has a fixed value and is based on the individual analyst's discretion. Instead, risk factors help to create more precise risk scores that are based on real threat.

The risk_factors.conf configuration file saves all the values that you enter through the Risk Factor Editor by default.


How the risk factor scoring works

When you create risk factors, check the formula to understand how to calculate the risk factors so that they work as expected and do not inflate the risk scores.

(risk_base_score + sum (expression_group_addition) ) * product (expression_group_multiplication)

For example, if you have four matching risk factors for a correlation search with a base score of 5, and two of the risk rules multiply the risk by 2. Another risk rule adds 5 and another risk rule adds 6.


Base score Operation
5 Multiply by 2
5 Multiply by 2
5 Add by 5
5 Add by 6


Then, the risk framework calculates the risk factor as follows:
(<base-score> + 5 + 6) = 16;
16x 2 x 2 = 64.
In this example, your risk factor is 64.

Addition factors are always applied before the multiplication factors based on the order of operations.

Create a new risk factor

Follow these steps to create a new risk factor using the Risk Factor Editor:

Prerequisites

  • Identify the risk index for correlation searches so that you can select the appropriate conditions to create risk factors.
  • Preview the risk events that match your conditions prior to saving risk factors.
  • Have the edit_risk_factor capability to create or make changes to the risk factors using the UI. For more information on adding capabilities to roles, see Add capabilities to a role in the Splunk Enterprise Security Installation and Upgrade manual.
  • Identify the fields that you want to include in the risk factor by checking the events in the risk index or verifying matching events in the Risk Factor Editor.

For risk events that only have the fields risk_object and risk_object_type instead of dest or src, you must check the fields for assets and identities that have the prefix risk_object_. For example: The priority field displays in risk_object_priority under assets and identities.

Create risk factor

  1. From the Enterprise Security menu, select Configure > Content > Content Management.
  2. (Optional) From the Type list, select Risk Factors.
    This sorts and displays the list of existing risk factors.
  3. From the Create New Content list, select Risk Factors.
    This opens the Risk Factor Editor.
  4. Select Add Risk Factor.
  5. In the center pane, add the following information to create the new risk factor.
    1. In the Name field, enter the name of the new risk factor.
    2. In the Description field, provide a description for the new risk factor.
    3. In the Operation list, select one of the following options to modify the original risk score: Addition or Multiplication.
      Addition factors are always applied before the multiplication factors.
    4. In the Conditions panel, select the criteria for which you want to base the value of your risk factor. For example, if the event field Owner contained the phrase "admin", you can multiply the risk score by 10.
      Set conditions to dynamically generate a value for the risk factor and identify the associated threat. If the risk factor meets the conditions specified, the threat level for the risk object is proportionally increased or decreased. To set simple conditions, see Set basic conditions to assign risk scores.
      To set advanced conditions such as using a wildcard search, see Set advanced conditions to assign risk scores.
    5. In the Factor field, assign a numerical value for the risk factor.
      The number that you enter in the Factor field is not an arbitrary value and depends on the conditions that you select in the Conditions panel in the next step.
  6. Select Save to save your changes.

You have the option to create a risk factor and then disabling it by dragging the Enable button. To enable a risk factor for your deployment, you can drag the Enable button.

Set basic conditions to assign risk scores

Use the following steps to set conditions based on the event field and value and assign an appropriate score for the risk object.

  1. In the Conditions panel of the Risk Factor Editor, select the Basic tab.
  2. In the Risk Event Field, enter a value for the event field to which you want to assign a risk factor.
  3. In the Risk Event Value field, enter a value against which you want to compare the event field. The value can be a static value or the name of another field.
  4. Select Save to save your changes.

Set advanced conditions to assign risk scores

You can create more targeted risk factors by adding multiple conditions. You can configure multiple conditions when creating risk factors by selecting the + icon in the Risk Factor Editor. To remove conditions, select the Remove button for the specific risk factor in the Risk Factor Editor.

When you add multiple conditions to a risk factor, they are aggregated using the AND logical operator.

For example: If you define a risk factor with the following conditions:

Condition #1:

Risk Event Field = user_category
Comparator = is equal to
Value = privileged

Condition #2:

Risk Event Field = user_category
Comparator = is equal to
Value = admin

You can use the SPL preview to view how the conditions get applied to create the risk factor:
If ("user_category" = "privileged" AND "user_category" = "admin", 20.0)

Use the following steps to configure conditions for risk factors:

  1. In the Conditions pane of the Risk Factor Editor, select the Advanced tab.
  2. In the Risk Event Field, enter a value for the event field to which you want to assign a risk factor. For example: user_category or asset_category.
  3. From the Comparator drop-down list, select the comparison parameter to indicate the relationship between the risk event field and value.
    The following list indicates the possible options for comparator values:
    • is equal to
    • is not equal to
    • matches regular expression
    • like
    • is greater than or equal
    • is less than or equal
    • is greater than
    • is less than
    Use the "like" or the "regex" comparator to set up wildcard searches as the adaptive response action. For more information on the like conditional function, see like. For more information on the match regex function, see match.
  4. Toggle the Compare against field button to select or deselect the option of comparing the event field against a value.
    Enabling the Compare against field option lets you use the Value field as a field name instead of a static string.
  5. In the Value field, enter the value against which you want to compare the event field. The value can be a static value or the name of another field.
    You must enter a numerical value for the Value field if you are using any of the following comparators from the drop down menu: is greater than or equal, is less than or equal, is greater than, is less than.
  6. Select Save to save your changes.
  7. To set multiple conditions and create more targeted risk factors, select the + icon.
  8. To remove a condition, select the Remove button.

Verify the risk factor conditions

Follow these steps to review the risk factor conditions:

  1. In the Risk Factor Editor, use the preview option in the center pane to verify how the conditions and comparators apply to a risk factor.
  2. Access the Conditions pane of the Risk Factor Editor and click the Advanced tab to learn how the "like" comparator applies to the risk factors.
  3. Type in a value for the Risk Event Field, select "like" from the Comparator drop down menu, and type in the value for the risk factor in the Value field.
  4. Review how the search appears in the Preview field. For example: if(like('risk_object',"bennay"), 0.0)
  5. Check the Risk Factor Editor to identify how many events match the conditions you added to the risk factor.
  6. Use search to verify if the risk factor displays the events to which you want to apply the risk factor.

Write conditions against asset and identity fields

If you write conditions against asset and identity fields for risk events, enable correlation by sourcetype and add the sourcetype name of stash. Alternately, you can enable correlation for all sourcetypes. For example, if you write a condition for an asset with src_bunit=emea, the src_bunit field is an asset field that is automatically provided if the correlation and the lookup are enabled.

For more information about correlation setup, see Manage correlation setup in Splunk Enterprise Security.

For more information about lookup configuration, see Manage asset lookup configuration policies in Splunk Enterprise Security.

Example 1

If you have a risk modifier defined as follows:

Risk entity Value
risk_score 120
risk_object alice
risk_object_type user
risk_object_priority critical

Let's say, we define the risk factor to add the risk by 50 when the priority of the risk object is critical, then the effective risk score for this risk modifier is 120 + 50 = 170.

Example 2

If you configure a risk factor called "Critical Severity Alert" for a source, if a security threat is flagged in your AWS environment by AWS Security HUB or AWS GuardDuty, which is considered to be of critical severity.

if(match('source',"Threat - Amazon GuardDuty and AWS Security Hub.*- Risk Gen - Rule") AND 'severity'="critical",2.5,1)

Then, using the Risk Factor Editor, you can specify a condition to multiply the risk associated with this source by a factor of 2.5.

Similarly, if a user is a watchlisted user and the asset is of critical priority, you can configure a risk factor that multiplies the risk on the asset and the user by a factor of 1.2.

See also

For more information about how risk modifiers and risk factors are associated with risk objects and how they impact risk scores, see the product documentation.

How risk modifiers impact risk scores in Splunk Enterprise Security

Modify a risk score with a risk modifier in Splunk Enterprise Security

Manage risk factors in Splunk Enterprise Security

Use default risk factors for guidance to create risk factors in Splunk Enterprise Security

Troubleshoot upgrade issues with risk factors

Customizing risk factors by applying conditions to data fields

Last modified on 13 December, 2023
Classify risk objects for targeted threat investigation in Splunk Enterprise Security   Manage risk factors to track evolving security threats in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters