Create and manage risk scoring rules in Splunk Asset and Risk Intelligence
In Splunk Asset and Risk Intelligence, you can create risk scoring rules based on filters or metrics to assign risk to assets. By assigning risk, you can monitor and investigate assets based on their risk level and total risk score.
The following table describes the risk terms in Splunk Asset and Risk Intelligence:
Risk term | Description |
---|---|
Risk score | The score that results from the process of creating a risk scoring filter, adding a risk scoring rule, and then running the rule to assign a score to each affected asset. |
Risk scoring rule | Rules based on filters or metrics to assign risk to assets. By assigning risk, you can monitor and investigate assets based on their risk level and total risk score. |
Risk score period | A specific period of time following the execution of a risk scoring rule when the risk score is valid. |
Total risk score | The total calculated risk score for each asset, or the sum of all active risk scores from all risk rules that affect each asset. Only risk scores within their risk score period are included in the total risk score. |
Add a risk scoring rule
A risk scoring rule based on a metric checks whether or not an asset is a defect of that metric. For example, if you added a full disk encryption metric for laptop workstations, you can create a risk scoring rule that assigns risk to any asset that doesn't comply with that metric.
A risk scoring rule based on a filter checks whether or not an asset matches the logic you defined in the filter. For example, if you created a filter for all the laptops used by executives in your organization, you can create a risk scoring rule that assigns a higher risk to those assets because the data might be more sensitive.
Prerequisite
Before you can add a risk scoring rule, you must first add a metric or a risk scoring filter. See Create and manage metrics in Splunk Asset and Risk Intelligence or Add a risk scoring filter.
Steps
- In Splunk Asset and Risk Intelligence, select Admin then Risk management and then Risk scoring rule management.
- Select Add new rule.
- Enter a name and description for the rule.
- Using the drop-down list, select a Filter type.
- To create a rule based on a metric, select Asset metric. Then, choose the metric you want to check for.
- To create a rule based on a risk scoring filter you created, select what type of filter it is, such as Asset software or Asset vulnerability. Then, select the filter you want to use.
You can assign only one risk scoring filter to each rule. However, you can assign the same risk scoring filter to multiple rules.
- Select a Risk level to assign to assets that fit the risk scoring rule. For example, a High risk score receives a risk score of 50 by default. To customize the risk score for each risk level, see Modify risk settings.
- Enter a Risk score period in seconds. Splunk Asset and Risk Intelligence calculates risk for assets discovered within the time frame you specify for the risk score period. By default, Splunk Asset and Risk Intelligence uses the risk score for a risk score period of 24 hours, or 86400 seconds, after an asset triggers a risk rule. During this period, the score contributes to the total risk score for the asset. After this period passes, the score no longer contributes to the total risk score unless the risk rule triggers again.
- Activate the risk scoring rule by turning the toggle switch to Active. You must activate a risk scoring rule in order to run it on discovered assets.
- Select Add rule.
You must turn on the risk processing search for Splunk Asset and Risk Intelligence to assign risk to assets. To turn on the risk processing search and begin assigning risk to assets, see Modify risk settings.
After you add a risk scoring rule, the rule runs on a schedule where Splunk Asset and Risk Intelligence processes the risk and then calculates composite risk scores for assets. To modify the default schedule or to run the risk processing search outside of its defined schedule, see Modify risk settings.
Add a risk scoring filter
With risk scoring filters, you can build a logic for filtering assets so that you can create risk scoring rules that assign risk to particular assets. You can build risk scoring filters based on asset records, software, or vulnerabilities.
To add a risk scoring filter, complete the following steps:
- In Splunk Asset and Risk Intelligence, select Admin then Risk management and then Risk scoring filter management.
- Using the drop-down list, select a Filter type for the assets you want to create a risk scoring filter for.
- Enter a name for your filter.
- Using the drop-down list, select the time frame for asset discovery.
- If you want to filter by fields, select Field filtering and then configure your filter using the drop-down lists. Select the add icon ( ) to add an additional field.
- If you want to filter by a search, select SPL search and then enter the SPL into the Search box.
You can filter by fields or by SPL search, but not by both. If you enter a search to filter by, then switching to field filtering clears any SPL data you've input.
- Select Search to see the results.
- Select Save as new filter.
- (Optional) To erase your configured filter, select Reset filter.
After you add a risk scoring filter, you can create a risk scoring rule that assigns risk to assets that meet the parameters of your filter. See Add a risk scoring rule.
Edit or delete a risk scoring rule
To edit or delete a risk scoring rule, complete the following steps:
- Select Admin then Risk management and then Risk scoring rule management.
- Locate the risk scoring rule you added in the Risk scoring rules table, and then select the settings icon ( ) to edit it. Make sure to select Update to save your changes.
- Locate the risk scoring rule you added in the Risk scoring rules table, and then select the remove icon ( ) to delete it.
Add metric exceptions in Splunk Asset and Risk Intelligence | Create and manage cybersecurity frameworks in Splunk Asset and Risk Intelligence |
This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.0.0, 1.0.1, 1.0.2
Feedback submitted, thanks!