Splunk® Enterprise Security

Installation and Upgrade Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Configure risk scoring

A risk score is a single metric that shows the relative risk of a device or user object in the network environment over time. An object represents a system, a user, or an un-classified other.

In Enterprise Security, assets and identities are the context that machine data sources are applied to. These objects are your users and networked devices. Correlation searches are the tool used to correlate data sources to an asset or identity by searching for a conditional match to a question. When there is a match, an alert is created. The alert can generate a notable event, a risk modifier, or both.

  • A notable event becomes a task. It is an event that must be assigned, reviewed, and closed.
  • A risk modifier becomes a number. It is an event that will add to the risk score of the device or user objects.

Risk analysis provides for a series of small events and suspicious behavior to be noted and calculated over time. The Risk Analysis dashboard allows the risk scores of an object to be seen and reviewed.

Assigning Risk

A risk modifier is an alert event that applies a score to objects when the search condition matches. The risk score is a relative number. A basic risk scoring range is established through the pre-defined correlation searches with risk modifiers included with the Enterprise Security app.

Enable the correlation searches

The Splunk App for Enterprise Security comes with over 60 pre-configured correlation searches. The searches correspond to the security domains available in the Enterprise Security app. All pre-configured correlation searches are disabled by default.

  1. Use the Custom Searches page to find and review the Description field in the correlation search for the intended correlation use-case.
  2. Enable the correlation searches that correspond to the security domain, data sources, and defined use-case for the Enterprise Security installation.
  3. Review the risk modifier score assigned by each correlation search.
  4. Use the Risk Analysis dashboard to review the risk scores by object, and the most active sources.
  5. Analyze the conditions that contributed to the risk score for an object, and create an additional action or task as necessary.

Create risk modifier

A risk modifier is an alert type that creates an event when a correlation search condition is met. When a risk modifier is created, it is indexed on disk in the risk index. The risk event object is tracked using the Risk Analysis dashboard in the Enterprise Security app. A risk modifier alert type is enabled independently of other alerting options, such as Notable Event creation and Actions.

If Create risk modifier is enabled for the correlation search, additional fields are required:

  • Score: Sets the default score assignment for an event. See Score ranges for Risk.
  • Risk Object field: Sets the search field the risk score is applied to.
  • Risk Object type: Sets the type of object the risk score is applied to.

Score ranges for Risk

Risk scoring offers a way to capture and aggregate the activities of an object into a single metric using risk modifiers. The correlation searches included in the Enterprise Security app will assign a risk score between 20 and 100 depending upon the relative severity of the activity found in the correlation search. The scoring defaults are scoped to a practical range, and does not represent an industry standard. The risk score levels use the same naming convention as the event severity.

Risk score ranges
  • 20 - Info
  • 40 - Low
  • 60 - Medium
  • 80 - High
  • 100 - Critical
  • There is no pre-defined upper limit for a risk score. Any limit is imposed by the OS. On a 32-bit system, the maximum risk score may not exceed two million.
  • One method to assess the relative risk scores is by comparing hosts with similar roles and asset priority to each other.

Assigning a risk score through search

A correlation or other search can embed a risk score directly. The correlation search Threat List Activity Detected implements search-assigned risk in addition to an alert-type risk modifier. In this search, when an object is found communicating with a host that matches a configured threat list, the risk modifier score is updated to reflect the number of times they communicated multiplied by the threat list weight. As a formula: the base risk modifier + (weight x event count) = additional risk.

Example: Host DPTHOT1 is detected communicating with a host on a spyware threat list. The base risk modifier set is 40. The number of times DPTHOT1 communicated with the threat listed host during the time span of the correlation search is two times. The weight assigned to the threat list is one, and is multiplied by the number of communications. The answer to the question of how much risk is added to system object DPTHOT1 is 42.

Risk object field

The risk object field is a reference to a search field returned by a correlation search. Correlation searches use fields such as src and dest to report on matching results. The risk object field represents a system, host, device, user, role, credential, or any object that the correlation search is designed to report on. Review any correlation search that assigns a risk score for examples of fields that receive a risk score.

Risk object types

The Enterprise Security app defines three risk object types by default.

Object type Description
System A network device or technology. Can represent an object in the Asset table, but not required.
User A network user, credential, or role. Can represent an object in the Identity table, but not required.
Other Any undefined object that is represented as a field in a data source.
  • Objects in the Asset and Identities tables will map to the System and User objects if they match.

Example: A User object is an Identity, but not all users detected will be configured in the Identities tables.

  • The Other object provides a category to place undefined or experimental object types.

Create a new Risk object type

  1. Browse to Configure > Data Enrichment > Lists and Lookups and select the Risk Object Types list.
  2. Highlight the last risk_object_type cel in the table and right-click to see the editor.
  3. Insert a new row into the table.
  4. Edit the cell, adding the new object type name.
  5. Save the changes.

Edit a Risk object type

  1. Browse to Configure > Data Enrichment > Lists and Lookups and select the Risk Object Types list.
  2. Highlight the risk object type and change the name.
  3. Save the changes.
Last modified on 28 September, 2015
Configure notable events
Security Domains

This documentation applies to the following versions of Splunk® Enterprise Security: 3.1, 3.1.1, 3.2, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 3.3.2, 3.3.3

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters