Use default risk factors in Splunk Enterprise Security
Use default risk factors designed for specific conditions to dynamically assign risk scores to risk objects and effectively isolate threats using Splunk Enterprise Security. Splunk Enterprise Security provides seven risk factors by default, which may be further customized based on your specific environment. You may also use these default risk factors as examples for guidance and create your own risk factors based on your environment.
All risk factors will be automatically displayed on the left panel of the Risk factor Editor. However, the default risk factors available in Enterprise Security will be disabled.
Following is the list of risk factors that are available on the app by default:
Number | Risk factor | Description |
---|---|---|
1 | Admin User | Increases the risk score of a user who has a privileged or administrative identity. So, if "user_category" field matches regex value of "admin", risk factor is increased by a multiple of 1.5. |
2 | Contractor User | Increases the risk score for a user who is a contractor. So, if "user_category" field value is "contractor", risk score is increased by a sum of 5. |
3 | Critical Priority Destination | Increases the risk score for critical destinations. So, if "dest_priority" field value is "critical", risk factor is increased by a multiple of 1.5. |
4 | High Priority User | Increases the risk score for high priority users. So, if "user_priority" field value is "high", the risk factor is increased by a multiple of 1.25. |
5 | Watchlisted Priority User | Increases the risk score for users on a watch list when the user is not on a priority list. So, if "user_watchlist" field is equal to "true" and the "user_priority" is not equal to "low", risk factor is increased by a multiple of 1.5. For more information on watchlists, see the Splunk Blogs post Using watchlists to your advantage. |
6 | Watchlisted User | Increases the risk score for users on a watch list by a multiple of 1.5. So, if "user_watchlist" is "true", risk factor is increased by a multiple of 1.5. For more information on watchlists, see the Splunk Blogs post Using watchlists to your advantage. |
Manage risk factors in Splunk Enterprise Security | Expand Content Management searches to view dependency and usage information in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2
Feedback submitted, thanks!