Splunk® Enterprise Security

Use Splunk Enterprise Security

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Create an ad hoc risk entry in Splunk Enterprise Security

Creating an ad-hoc risk entry allows you to make a manual, one-time adjustment to an object's risk score. You can use it to add a positive or negative number to the risk score of an object.

  1. Select Security Intelligence > Risk Analysis.
  2. Click Create Ad-hoc Risk Entry.
  3. Complete the form.
Ad-hoc Risk Score field Description
Score The number added to a Risk object. Can be a positive or negative integer.
Description A reason or note for manually adjusting an object's risk score. The Description field is mandatory for an ad hoc risk score.
Risk object Text field. Wildcard with an asterisk (*)
Risk object type Drop-down: select to filter by.
Analyze risk in Splunk Enterprise Security
Create a glass table in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1


Additional method to increase risk in ad-hoc fashion is via SPL. Additional benefit to SPL method, is ability to simultaneously update risk scores for system and user objects.

| localop | stats count | eval dest="vladimir_foo", user="vladimir_bar"
| eval risk_object=dest | sendalert risk param._risk_object_type="system" param._risk_score=42
| eval risk_object=user | sendalert risk param._risk_object_type="user" param._risk_score=12

You are able to later spot check the score, by running:

index=risk sourcetype=stash risk_object="vladimir*" | table _time risk_object risk_object_type source description risk_score

Also, this is documented at http://dev.splunk.com/view/enterprise-security/SP-CAAAFBD

Hire vladimir
November 3, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters