Configure risk scoring

A risk score is a single metric that shows the relative risk of a device or user object in the network environment over time. Splunk ES classifies a device as a system, a user as a user, and unrecognized devices or users as other. These classifications represent types of risk objects.

In Enterprise Security, machine data applies context to assets and identities, which are your users and networked devices. Correlation searches correlate the data sources with an asset or identity by searching for a conditional match to a question. An alert is created when a correlation search finds a match. These alerts can generate a notable event, a risk modifier, or both.

• Notable events are events that you can assign, review, and close as part of an investigation.
• Risk modifiers are numbers that contribute to the risk score of an asset or identity.

Splunk ES uses risk analysis to take note of and calculate the risk of small events and suspicious behavior over time to your environment. The Risk Analysis dashboard displays these risk scores and other risk-related information.

Assigning risk

Splunk Enterprise Security will assign a risk score to a system or user after you enable correlation searches. See Enable the correlation searches in this manual.

After you enable correlation searches, you can review the risk scores created by the correlation searches.

1. Use the Risk Analysis dashboard to review the risk scores by object, and the most active sources.
2. Analyze the conditions that contributed to the risk score for an object, and create an additional action or task as necessary.

Create risk modifier

Some correlation searches create risk modifiers. After you enable them, the searches will create risk modifiers when the appropriate conditions match. You can also create a risk modifier with new correlation searches, or add that as an action for existing correlation searches. You can enable risk modifer alerts independently of other alerting options, such as Notable Event creation and Actions.

If you enable Create risk modifier for a correlation search, you must complete additional fields.

• Score: Sets the default score assignment for an event. See Score ranges for Risk.
• Risk Object field: Sets the search field the risk score is applied to.
• Risk Object type: Sets the type of object the risk score is applied to.

When a search creates a risk modifier, Splunk indexes it on disk in the risk index.

Score ranges for risk

Risk scoring offers a way to capture and aggregate the activities of an asset or identity into a single metric using risk modifiers.

The correlation searches included in Enterprise Security assign a risk score between 20 and 100 depending on the relative severity of the activity found in the correlation search. The searches scope the default scores to a practical range. This range does not represent an industry standard. ES does not define an upper limit for the total risk score of an identity or asset, but operating systems can impose a limit. For example, 32-bit operating systems limit a risk score to two million.

Risk score levels use the same naming convention as event severity. You can assess relative risk scores by comparing hosts with similar roles and asset priority.

• 20 - Info
• 40 - Low
• 60 - Medium
• 80 - High
• 100 - Critical

You can change the risk score that a correlation search assigns on the Edit Correlation Searches page.

Risk object field

The risk object field is a reference to a search field returned by a correlation search. Correlation searches use fields such as src and dest to report on matching results. The risk object field represents a system, host, device, user, role, credential, or any object that the correlation search is designed to report on. Review any correlation search that assigns a risk score for examples of fields that receive a risk score.

Risk object types

Splunk Enterprise Security defines three risk object types.

If a risk object matches an object in the Asset or Identity table, Splunk ES will map them accordingly. However, devices and users do not need to be represented in the corresponding asset and identity tables to be identified as system or user risk objects. ES categorizes undefined or experimental object types with a risk object type of Other.

Create a new Risk object type

1. Browse to Configure > Data Enrichment > Lists and Lookups and select the Risk Object Types list.
2. Highlight the last risk_object_type cell in the table and right-click to see the table editor.
3. Insert a new row into the table.
4. Double-click in the new row to edit it, then add the new object type name.
5. Save the changes.

Edit a Risk object type

1. Browse to Configure > Data Enrichment > Lists and Lookups and select the Risk Object Types list.
2. Highlight the risk object type and change the name.
3. Save the changes.

Assigning a risk score through search

A correlation or other search can directly modify a risk score without using an alert. In this way, it can alter the risk score of a system or user based on the results of a search, rather than only when search results match a particular set of conditions.

For example, the Threat List Activity Detected correlation search uses search-assigned risk in addition to an alert-type risk modifier. When the search finds an asset or identity communicating with a host that matches a configured threat list, the search modifies the risk score accordingly. In this case, the risk modifier reflects the number of times the system or user communicated with the threat list, multiplied by the weight of the threat list.

As a formula, risk score of a system or user + (threat list weight x event count) = additional risk.

As a more specific example, if a search detects host DPTHOT1 communicating with a host on a spyware threat list during a particular time period, the base risk score is set to 40. Then, since DPTHOT1 communicated with the threatlisted host twice, and the spyware threat list has a weight of one, the search modifies the risk score to a total risk score of 42.