Risk notables in Splunk Enterprise Security

Risk notables are automatically generated when you run a risk incident rule, which associates risk scores with a system, user, or other risk objects.

Fields in a risk notable

The Risk Analysis adaptive response action applies a few key fields from the Risk Analysis framework to create a risk notable.

Search results from risk incident rules must contain the following key fields to create risk notables:

Field	Description	Required/Optional?
Risk object	Any entity that represents potential security threats such as an asset, identity, user, or device tracked by Splunk Enterprise Security.	Required
Risk object type	The risk object identifier, which can be a system, user, or a custom value.	Required
Risk score	A number that represents the risk level of a specific risk object. Risk events have a default score that you can modify using risk factors.	Required
Risk Event count	The total number of risk events associated with the notable event. The notable search calculates this value.	Required
Risk message	A unique message to describe the risk activity, which can use fields from the risk event surrounded by "$". For example: `Suspicious Activity to $domain$`	Optional
Threat Object	Deviant behavior patterns of a risk object or entity, which indicate a security breach. For example: The `Domain` threat object tracks the behavior of the domain across all risk objects.	Optional
Threat Object Type	Identified the threat object such as `domain`, `URL`, `IP address`, `file hash`, `command line`, or `process name`.	Optional

The following fields exist in the notable adaptive response action, but are not required in the risk incident rule search results:

Field	Description
`drilldown_earliest`	The start time used to identify the contributing events for the risk notable. This value is automatically populated using the `info_min_time` in the notable framework.
`drilldown_latest`	The end time used to identify the contributing events for the risk notable. This value is automatically populated using the `info_max_time` in the notable framework.
`drilldown_search`	The search used to identify the contributing events for the risk notable. This search must return a `calculated_risk_score` field. The `calculated_risk_score` field is common to the Risk data model.

You can access the field drilldown_search from the correlation search editor for the risk notable. You can also customize the drilldown_search field to enter the contributing events that creates a risk notable and populates the Risk Event Timeline.

In addition to analyzing the risk notables, other factors that might help to identify threat include:

Number of risk events
Specific risk incident rules that generate the risk notables
Number of events triaged using security orchestration automation and response (SOAR)
Number of events remediated using SOAR

Difference between a notable and a risk notable

A notable is an event generated by a correlation search as an alert. A notable includes custom metadata fields to assist in alert investigation and track event remediation.

Risk notables are notable events with risk scores that get created automatically when a risk incident rule associates a risk score with a risk object.

Verify a notable is a risk notable

Follow these steps to verify that a notable is a risk notable:

On the Incident Review page, expand the correlation search associated with the notable.
Check if the search contains the Risk Score field. For example: Risk Score:1285.0.
Under Event Details, check if the eventtype field contains the tag: risk_notables

Risk notables from the same risk object

Risk objects correspond to assets and identities. However, sometimes the same assets and identities might have different display names. For example, the following three display names represent an email address that belongs to a single user. Each risk object has a specific number of contributing risk events associated with it.

rob has 5 contributing risk events
rob@splunk.com has 4 contributing risk events
rob@splunk has 2 contributing risk events

The normalized_risk_object field in Splunk Enterprise Security gets assigned to risk events so that correlation searches can group together the risk events that correspond to the same asset or identity. Risk incident rules create risk notables when they exceed a certain risk threshold. Risk events with matching normalized risk objects are often grouped together by Splunk Enterprise Security and as a result, the risk based alerting framework sees them as a single entity.

The risk object that appears most frequently is the risk object that gets displayed to the user for the notable. However, the normalized risk object is used to calculate risk scores. Risk score calculation is based on the first element that is listed on the Asset and Identity lookup for that entity. Risk scores are not calculated based on the risk object that is displayed most frequently.

In this example, all three risk objects get displayed as rob even though they map to the same identity, which is the email address of a user named Rob. Thus, the total risk score of a risk notable depends on all the contributing risk events associated with the same normalized risk object, which is higher. This increases the likelihood that the risk incident rule creates true positive risk notables based on behaviors associated with a single risk object (asset or identity) and helps to detect threats during investigations.

If risk objects that represent the same asset or identity don't get grouped together, the risk they represent might get overlooked because they do not exceed the risk threshold that creates risk notables. However, if the risk objects that represent the same asset or identity get normalized and grouped together, connected behaviors that indicate threat become more visible.

Risk notables enriched by entity zones

Entity zones help distinguish between risk objects that might be mapped to the same asset and identity by providing context to the risk events through additional information such as geographic location, source, destination, and so on. For example, you might configure different entity zones for the same username or identity based on different departments within the same organization. Similarly, you might configure different entity zones for the same IP address or asset based on two different locations such as San Jose and San Francisco. Entity zones provide enrichment and help to evaluate the risk associated with the risk event and the risk object more effectively to surface true positives.

Risk incident rules create risk notables when they exceed a certain risk threshold. If the risk objects such as IP addresses based in San Jose and San Francisco, get grouped together without the additional context provided by entity zones, their combined risk score can exceed the risk threshold. This creates a higher volume of risk notables that might not have any real risk associated with them, when evaluated individually. Additional context provided by entity zones helps to reduce the alert volume.

The normalized_risk_object field in Splunk Enterprise Security gets assigned to risk events so that correlation searches can group together the risk events that correspond to the same asset or identity along with the additional context provided by the entity zones.

For more information on using entity zones to add context to risk notables, see Review risk notables enriched by entity zones.

Related answers from Splunk Community

Risk notables in Splunk Enterprise Security

Fields in a risk notable

Difference between a notable and a risk notable

Verify a notable is a risk notable

Risk notables from the same risk object

Risk notables enriched by entity zones

See also

Comments

Risk notables in Splunk Enterprise Security

Was this topic useful?