Splunk® Enterprise Security

Use Splunk Enterprise Security

Download manual as PDF

Download topic as PDF

Create an ad hoc risk entry in Splunk Enterprise Security

Creating an ad-hoc risk entry allows you to make a manual, one-time adjustment to an object's risk score. You can use it to add a positive or negative number to the risk score of an object.

  1. Select Security Intelligence > Risk Analysis.
  2. Click Create Ad-hoc Risk Entry.
  3. Complete the form.
  4. Click Save.
Ad-hoc Risk Score field Description
Score The number added to a Risk object. Can be a positive or negative integer.
Description A reason or note for manually adjusting an object's risk score. The Description field is mandatory for an ad hoc risk score.
Risk object Text field. Wildcard with an asterisk (*)
Risk object type Drop-down: select to filter by.

Use security framework annotations in an ad-hoc risk entry

Use annotations to add context from industry-standard mappings to your ad-hoc risk entry results. Only MITRE ATT&CK definitions are pre-populated for enrichment.


Annotations
Annotations are enriched with industry-standard context.

  1. Scroll to Annotations.
  2. Add annotations for the common framework names listed. These fields are for use with industry-standard mappings, but also allow custom values. Industry-standard mappings include values such as the following:
    Security FrameworkFive Random Mapping Examples
    CIS 20CIS 3, CIS 9, CIS 11, CIS 7, CIS 12
    Kill Chain Reconnaissance, Actions on Objectives, Exploitation, Delivery, Lateral Movement
    MITRE ATT&CKT1015, T1138, T1084, T1068, T1085
    This field also contains mitre technique names for you to select because they are pre-populated for enrichment.
    NISTPR.IP, PR.PT, PR.AC, PR.DS, DE.AE
  3. Click Save.

Dashboard example
Consider MITRE ATT&CK annotations as an example. You see them in dashboards by ID, such as T1015, rather than by the technique name.


Unmanaged Annotations
Unmanaged annotations are not enriched with any industry-standard context.

  1. Scroll to Unmanaged Annotations.
  2. Click + Framework to add your own framework names and their mapping categories. These are free-form fields.
  3. Click Save.

Search example
Consider unmanaged annotations as an example. If you search the risk index directly, you see your unmanaged annotations.

index=risk

Search results
Unmanaged annotations display results as annotations._all with your <unmanaged_attribute_value>, and annotations._frameworks with your <unmanaged_framework_value>.

i Time Event
> 7/22/20
5:34:09.000 PM
1595453646, search_name="AdHoc Risk Score", annotations="{\"example_attack\":[],\"example-net\":[\"nim\",\"butler\",\"koko\"]}", annotations._all="butler", annotations._all="nim", annotations._all="koko", annotations._frameworks="example-net", annotations.example-net="nim", annotations.example-net="butler", annotations.example-net="koko", creator="admin", description="test", info_max_time="+Infinity", info_min_time="0.000", risk_object="testuser", risk_object_type="user", risk_score="10.0"
Last modified on 23 July, 2020
PREVIOUS
Analyze risk in Splunk Enterprise Security
  NEXT
Create a glass table in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 6.3.0 Cloud only


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters