Related Answers
Download topic as PDF
Risk notables in Splunk Enterprise Security
Risk notables are automatically generated when you run a risk incident rule, which associates risk scores with a system, user, or other risk objects.
Fields in a risk notable
The Risk Analysis adaptive response action applies a few key fields from the Risk Analysis framework to create a risk notable.
Search results from risk incident rules must contain the following key fields to create risk notables:
| Field | Description | Required/Optional? |
|---|---|---|
| Risk object | Any entity that represents potential security threats such as an asset, identity, user, or device tracked by Splunk Enterprise Security. | Required |
| Risk object type | The risk object identifier, which can be a system, user, or a custom value. | Required |
| Risk score | A number that represents the risk level of a specific risk object. Risk events have a default score that you can modify using risk factors. | Required |
| Risk Event count | The total number of risk events associated with the notable event. The notable search calculates this value. | Required |
| Risk message | A unique message to describe the risk activity, which can use fields from the risk event surrounded by "$". For example: Suspicious Activity to $domain$
|
Optional |
| Threat Object | Deviant behavior patterns of a risk object or entity, which indicate a security breach. For example: The Domain threat object tracks the behavior of the domain across all risk objects.
|
Optional |
| Threat Object Type | Identified the threat object such as domain, URL, IP address, file hash, command line, or process name.
|
Optional |
The following fields exist in the notable adaptive response action, but are not required in the risk incident rule search results:
| Field | Description |
|---|---|
drilldown_earliest
|
The start time used to identify the contributing events for the risk notable. This value is automatically populated using the info_min_time in the notable framework.
|
drilldown_latest
|
The end time used to identify the contributing events for the risk notable. This value is automatically populated using the info_max_time in the notable framework.
|
drilldown_search
|
The search used to identify the contributing events for the risk notable. This search must return a calculated_risk_score field. The calculated_risk_score field is common to the Risk data model.
|
You can access the field drilldown_search from the correlation search editor for the risk notable. You can also customize the drilldown_search field to enter the contributing events that creates a risk notable and populates the Risk Event Timeline.
In addition to analyzing the risk notables, other factors that might help to identify threat include:
- Number of risk events
- Specific risk incident rules that generate the risk notables
- Number of events triaged using security orchestration automation and response (SOAR)
- Number of events remediated using SOAR
Difference between a notable and a risk notable
A notable is an event generated by a correlation search as an alert. A notable includes custom metadata fields to assist in alert investigation and track event remediation.
Risk notables are notable events with risk scores that get created automatically when a risk incident rule associates a risk score with a risk object.
Verify a notable is a risk notable
Follow these steps to verify that a notable is a risk notable:
- On the Incident Review page, expand the correlation search associated with the notable.
- Check if the search contains the Risk Score field. For example: Risk Score:
1285.0. - Under Event Details, check if the eventtype field contains the tag:
risk_notables
Risk notables from the same risk object
Risk objects correspond to assets and identities. However, sometimes the same assets and identities might have different display names. For example, the following three display names represent an email address that belongs to a single user. Each risk object has a specific number of contributing risk events associated with it.
robhas 5 contributing risk eventsrob@splunk.comhas 4 contributing risk eventsrob@splunkhas 2 contributing risk events
The normalized_risk_object field in Splunk Enterprise Security gets assigned to risk events so that correlation searches can group together the risk events that correspond to the same asset or identity. Risk incident rules create risk notables when they exceed a certain risk threshold. Risk events with matching normalized risk objects are often grouped together by Splunk Enterprise Security and as a result, the risk based alerting framework sees them as a single entity.
The risk object that appears most frequently is the risk object that gets displayed to the user for the notable. However, the normalized risk object is used to calculate risk scores. Risk score calculation is based on the first element that is listed on the Asset and Identity lookup for that entity. Risk scores are not calculated based on the risk object that is displayed most frequently.
In this example, all three risk objects get displayed as rob even though they map to the same identity, which is the email address of a user named Rob. Thus, the total risk score of a risk notable depends on all the contributing risk events associated with the same normalized risk object, which is higher. This increases the likelihood that the risk incident rule creates true positive risk notables based on behaviors associated with a single risk object (asset or identity) and helps to detect threats during investigations.
If risk objects that represent the same asset or identity don't get grouped together, the risk they represent might get overlooked because they do not exceed the risk threshold that creates risk notables. However, if the risk objects that represent the same asset or identity get normalized and grouped together, connected behaviors that indicate threat become more visible.
Risk notables enriched by entity zones
Entity zones help distinguish between risk objects that might be mapped to the same asset and identity by providing context to the risk events through additional information such as geographic location, source, destination, and so on. For example, you might configure different entity zones for the same username or identity based on different departments within the same organization. Similarly, you might configure different entity zones for the same IP address or asset based on two different locations such as San Jose and San Francisco. Entity zones provide enrichment and help to evaluate the risk associated with the risk event and the risk object more effectively to surface true positives.
Risk incident rules create risk notables when they exceed a certain risk threshold. If the risk objects such as IP addresses based in San Jose and San Francisco, get grouped together without the additional context provided by entity zones, their combined risk score can exceed the risk threshold. This creates a higher volume of risk notables that might not have any real risk associated with them, when evaluated individually. Additional context provided by entity zones helps to reduce the alert volume.
The normalized_risk_object field in Splunk Enterprise Security gets assigned to risk events so that correlation searches can group together the risk events that correspond to the same asset or identity along with the additional context provided by the entity zones.
For more information on using entity zones to add context to risk notables, see Review risk notables enriched by entity zones.
See also
For more information about risk notables and RBA, see the product documentation.
Review risk notables to identify risk in Splunk Enterprise Security
Analyze risk events using the Risk Timeline in Splunk Enterprise Security
Analyze the risk events associated with a risk notable in Splunk Enterprise Security
Analyze risk notables using Threat Topology in Splunk Enterprise Security
|
PREVIOUS Default risk incident rules in Splunk Enterprise Security |
NEXT Review risk notables to identify risk in Splunk Enterprise Security |
Feedback submitted, thanks!