Analyze risk in Splunk Enterprise Security
A risk score is a single metric that shows the relative risk of a device or user in the network environment over time. Splunk Enterprise Security classifies a device as a system, a user as a user, and unrecognized devices or users as other.
Enterprise Security uses risk analysis to take note of and calculate the risk of small events and suspicious behavior over time to your environment. The Risk Analysis dashboard displays these risk scores and other risk-related information. Enterprise Security indexes all risk as events in the
How Splunk Enterprise Security assigns risk scores
A risk score is a single metric that shows the relative risk of a device or user object in the network environment over time. An object represents a system, a user, or an unspecified other.
Enterprise Security uses correlation searches to correlate machine data with asset and identity data, which comprises the devices and user objects in a network environment. Correlation searches search for a conditional match to a question. When a match is found, an alert is generated as a notable event, a risk modifier, or both.
- A notable event becomes a task. It is an event that must be assigned, reviewed, and closed.
- A risk modifier becomes a number. It is an event that will add to the risk score of a device or user object.
Risk scoring example
The host RLOG-10 is a jump server that is generating several notable events. The correlation searches Excessive Failed Logins, and Default Account Activity Detected are creating one notable event a day for that system. As RLOG-10 is a jump server, several network credentials are being used against this host, and software or other utilities may have been installed. As a jump server, this behavior is less interesting than if the same behavior is observed on the production DNS server. Rather than ignoring or suppressing notable events generated by jump servers, you can create jump-server-specific rules to monitor those servers differently.
You can do this by creating a correlation search that assigns a risk modifier when the correlation matches hosts that serve as jump servers.
- Isolate jump servers from the existing correlation searches using a whitelist. See Whitelist events in Administer Splunk Enterprise Security for more information.
- Create and schedule a new correlation search based on Excessive Failed Logins, but isolate the search to the jump server hosts and assign a risk modifier alert type only.
- Verify the risk modifiers are applied to the jump server hosts by raising their risk score incrementally. With the new correlation search, no notable events will be created for those hosts based on failed logins.
As the relative risk score goes up, RLOG-10 can be compared to all network servers and to other jump servers. If the relative risk score for RLOG-10 exceeds its peers, that host would be investigated by an analyst. If the risk scores of all jump servers are higher relative to other network hosts, an internal security policy may need to be reviewed or implemented differently. See the Risk Analysis With Enterprise Security 3.1 blog post for additional examples.
Assign risk to an object
Create a risk analysis response action, or risk modifier, to assign risk to an object. You can assign risk to objects in several ways.
- Assign risk automatically as part of a correlation search. See Modify a risk score with a risk modifier in Administer Splunk Enterprise Security.
- Assign risk on as an ad hoc adaptive response action from Incident Review. See Modify a risk score with a risk modifier in this manual.
- Create an ad hoc risk entry from the Risk Analyis dashboard. See Create an ad hoc risk entry in Splunk Enterprise Security in this manual.
- Assign risk through a search. See the example below.
Example of assigning a risk score through search
A correlation or other search can directly modify a risk score without using an alert. In this way, it can alter the risk score of a system or user based on the results of a search, rather than only when search results match a particular set of conditions.
For example, the Threat Activity Detected correlation search uses search-assigned risk in addition to an alert-type risk modifier. When the search finds an asset or identity communicating with a host that matches a configured threat list, the search modifies the risk score accordingly. In this case, the risk modifier reflects the number of times the system or user communicated with the threat list, multiplied by the weight of the threat list.
As a formula, risk score of a system or user
+ (threat list weight
x event count)
= additional risk.
As a more specific example, if a search detects host DPTHOT1 communicating with a host on a spyware threat list during a particular time period, the base risk score is set to 40. Then, because DPTHOT1 communicated with the host on the threat list twice, and the spyware threat list has a weight of one, the search modifies the risk score to a total risk score of 42.
See Risk Analysis Framework for more about assigning risk scores with search.
Score ranges for risk
Risk scoring offers a way to capture and aggregate the activities of an asset or identity into a single metric using risk modifiers.
The correlation searches included in Enterprise Security assign a risk score between 20 and 100 depending on the relative severity of the activity found in the correlation search. The searches scope the default scores to a practical range. This range does not represent an industry standard. Enterprise Security does not define an upper limit for the total risk score of an identity or asset, but operating systems can impose a limit. For example, 32-bit operating systems limit a risk score to two million.
Risk score levels use the same naming convention as event severity. You can assess relative risk scores by comparing hosts with similar roles and asset priority.
- 20 - Info
- 40 - Low
- 60 - Medium
- 80 - High
- 100 - Critical
ES Admins can edit correlation searches to modify the risk score that the risk analysis response action assigns to an object. See Included adaptive response actions with Splunk Enterprise Security in Administer Splunk Enterprise Security.
Managing risk objects
Enterprise Security associates risk modifiers with risk objects.
Risk object field
The risk object field is a reference to a search field returned by a correlation search. Correlation searches use fields such as
dest to report on matching results. The risk object field represents a system, host, device, user, role, credential, or any object that the correlation search is designed to report on. Review any correlation search that assigns a risk score for examples of fields that receive a risk score.
Risk object types
Splunk Enterprise Security defines three risk object types.
|System||Network device or technology. Can represent a device in the asset lookup.|
|User||Network user, credential, or role. Can represent an identity in the identity lookup.|
|Other||Any undefined object that is represented as a field in a data source.|
If a risk object matches an object in the asset or identity table, Enterprise Security maps the object as the associated type. For example, an object that matches an asset in the asset lookup is mapped to a risk object type of system. However, devices and users do not need to be represented in the corresponding asset and identity tables to be identified as system or user risk objects. ES categorizes undefined or experimental object types with a risk object type of Other.
Refer to your action history in Splunk Enterprise Security
Create an ad hoc risk entry in Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6