The Risk Analysis dashboard displays recent changes to risk scores and objects that have the highest risk scores. As an analyst, you can use this dashboard to assess relative changes in risk scores and examine the events that contribute to an object's risk score.
A risk score is a single metric that shows the relative risk of a device or user object in the network environment over time. An object represents a system, a user, or an unspecified other.
Enterprise Security uses correlation searches to correlate machine data with asset and identity data, which comprises the devices and user objects in a network environment. Correlation searches search for a conditional match to a question. When a match is found, an alert is generated as a notable event, a risk modifier, or both.
- A notable event becomes a task. It is an event that must be assigned, reviewed, and closed.
- A risk modifier becomes a number. It is an event that will add to the risk score of a device or user object.
See Configure Risk Scoring in this manual.
Risk scoring example
The host RLOG-10 is a jump server that is generating several notable events. The correlation searches Excessive Failed Logins, and Default Account Activity Detected are creating one notable event a day for that system. As RLOG-10 is a jump server, several network credentials are being used against this host, and software or other utilities may have been installed. As a jump server, this behavior is less interesting than if the same behavior is observed on the production DNS server. Rather than ignoring or suppressing notable events generated by jump servers, you can create jump-server-specific rules to monitor those servers differently.
You can do this by creating a correlation search that assigns a risk modifier when the correlation matches hosts that serve as jump servers.
- Isolate jump servers from the existing correlation searches using a whitelist. See Whitelist events for more information.
- Create and schedule a new correlation search based on Excessive Failed Logins, but isolate the search to the jump server hosts and assign a risk modifier alert type only.
- Verify the risk modifiers are applied to the jump server hosts by raising their risk score incrementally. With the new correlation search, no notable events will be created for those hosts based on failed logins.
As the relative risk score goes up, RLOG-10 can be compared to all network servers and to other jump servers. If the relative risk score for RLOG-10 exceeds its peers, that host would be investigated by an analyst. If the risk scores of all jump servers are higher relative to other network hosts, an internal security policy may need to be reviewed or implemented differently. See the Risk Analysis With Enterprise Security 3.1 blog post for additional examples.
Use the Risk Analysis dashboard
You can use the Risk Analysis dashboard to review changes to an object's risk score, determine the source of a risk increase, and decide if additional action is needed.
Use any of the available filters on the Risk Analysis dashboard to search and filter the results. A filter is applied to all panels in the dashboard, but not the key security indicators.
|Source||Filter by the correlation search that has risk modifiers|
|Risk Object||Select a risk object type and type a string to filter by risk object. Risk object type defaults to All.|
The Risk Object filter works by performing a reverse lookup against the asset and identity tables to find all fields that have been associated with the specified Risk Object. All associated objects found by the reverse lookup then display on the dashboard. For example, if you select a risk object type of system and type a Risk Object of 10.10.1.100, the reverse lookup against the assets table could return a MAC address. The Risk Analysis dashboard will update to display any risk score applied to the 10.10.1.100 address and a MAC address. If no match to another object was found in the asset table, only the IP address matches from the Risk Analysis data model will be displayed.
The Risk Analysis dashboard offers additional views to help analyze risk scoring changes and what caused the changes. Use the filters to refine the view to a specific object or group of objects. Use the drilldown to explore the data as events.
|Key Indicators||Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. See "Key indicators" in this manual.|
|Risk Modifiers Over Time||Displays the changes made to risk modifiers over time. Use the dashboard filters to scope the view to a specific object or group of objects. The drilldown opens a search on all events in the Risk data model scoped to the selected time frame.|
|Risk Score By Object||Displays the objects with the highest risk score. The drilldown opens a search with the selected risk object and scoped to the selected time frame.|
|Most Active Sources||Displays the correlation searches that contribute the highest amount of risk to any object. The drilldown opens a search with the selected source.|
|Recent Risk Modifiers||Displays a table of the most recent changes in a risk score, the source of the change, and the object.|
Create an Ad-Hoc Risk Entry
Creating an ad-hoc risk entry allows you to make a manual, one-time adjustment to an object's risk score. You can use it to add a positive or negative number to the risk score of an object. Several fields should be completed when adding an ad-hoc risk entry.
|Ad-hoc Risk Score field||Description|
|Score||The number added to a Risk object. Can be a positive or negative integer.|
|Description||A reason or note for manually adjusting an object's risk score. The Description field is mandatory for an ad-hoc risk score.|
|Risk object||Text field. Wildcard with an asterisk (*)|
|Risk object type||Drop-down: select to filter by.|
Configure risk scoring
This documentation applies to the following versions of Splunk® Enterprise Security: 4.2.0 Cloud only, 4.2.1 Cloud only, 4.2.2 Cloud only, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0 Cloud only