Use default risk factors in
Use default risk factors designed for specific conditions to dynamically assign risk scores to risk objects and effectively isolate threats using . provides seven risk factors by default, which may be further customized based on your specific environment. You may also use these default risk factors as examples for guidance and create your own risk factors based on your environment.
All risk factors will be automatically displayed on the left panel of the Risk factor Editor. However, the default risk factors are disabled.
Following is the list of risk factors that are available on the app by default:
Number | Risk factor | Description |
---|---|---|
1 | Admin User | Increases the risk score of a user who has a privileged or administrative identity. So, if "user_category" field matches regex value of "admin", risk factor is increased by a multiple of 1.5. |
2 | Contractor User | Increases the risk score for a user who is a contractor. So, if "user_category" field value is "contractor", risk score is increased by a sum of 5. |
3 | Critical Priority Destination | Increases the risk score for critical destinations. So, if "dest_priority" field value is "critical", risk factor is increased by a multiple of 1.5. |
4 | High Priority User | Increases the risk score for high priority users. So, if "user_priority" field value is "high", the risk factor is increased by a multiple of 1.25. |
5 | PCI Source | Increases the risk score for Payment Card industry (PCI) sources. So, if "src_category" field value is "pci", risk factor is increased by a multiple of 1.5. |
6 | Watchlisted Priority User | Increases the risk score for users on a watch list when the user is not on a priority list. So, if "user_watchlist" field is equal to "true" and the "user_priority" is not equal to "low", risk factor is increased by a multiple of 1.5. For more information on watchlists, see the Splunk Blogs post Using watchlists to your advantage. |
7 | Watchlisted User | Increases the risk score for users on a watch list by a multiple of 1.5. So, if "user_watchlist" is "true", risk factor is increased by a multiple of 1.5. For more information on watchlists, see the Splunk Blogs post Using watchlists to your advantage. |
Create risk factors to adjust risk scores for risk objects so that you can effectively isolate threats using by mapping out the risk in the environment. See Create risk factors in Splunk Enterprise Security and Manage risk factors in Splunk Enterprise Security in the Splunk Enterprise Security Administer Splunk Enterprise Security manual.
Asset and Identity Correlation | Search View Matrix |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 4.4.0, 4.4.1, 4.5.0 Cloud only, 4.6.0, 4.6.2
Feedback submitted, thanks!