Splunk® Enterprise Security

Use Splunk Enterprise Security

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Create an ad hoc risk entry in Splunk Enterprise Security

Creating an ad-hoc risk entry allows you to make a manual, one-time adjustment to an object's risk score. You can use it to add a positive or negative number to the risk score of an object.

  1. Select Security Intelligence > Risk Analysis.
  2. Click Create Ad-hoc Risk Entry.
  3. Complete the form.
  4. Click Save.
Risk Modifiers Description
Risk Score The number added to a Risk object. Can be a positive or negative integer.
Risk object Text field. Wildcard with an asterisk (*)
Risk object type Drop-down: select to filter by.

Use security framework annotations in an ad-hoc risk entry

Use annotations to add context from industry-standard mappings to your ad-hoc risk entry results. Only MITRE ATT&CK definitions are pre-populated for enrichment.

Annotations are enriched with industry-standard context.

  1. Scroll to Annotations.
  2. Add annotations for the common framework names listed. These fields are for use with industry-standard mappings, but also allow custom values. Industry-standard mappings include values such as the following:
    Security FrameworkFive Random Mapping Examples
    CIS 20CIS 3, CIS 9, CIS 11, CIS 7, CIS 12
    Kill Chain Reconnaissance, Actions on Objectives, Exploitation, Delivery, Lateral Movement
    MITRE ATT&CKT1015, T1138, T1084, T1068, T1085
    This field also contains mitre technique names for you to select because they are pre-populated for enrichment.
  3. Click Save.

Dashboard example
Consider MITRE ATT&CK annotations as an example. You see them in dashboards by ID, such as T1015, rather than by the technique name.

Unmanaged Annotations
Unmanaged annotations are not enriched with any industry-standard context.

  1. Scroll to Unmanaged Annotations.
  2. Click + Framework to add your own framework names and their mapping categories. These are free-form fields.
  3. Click Save.

Search example
Consider unmanaged annotations as an example. If you search the risk index directly, you see your unmanaged annotations.


Search results
Unmanaged annotations display results as annotations._all with your <unmanaged_attribute_value>, and annotations._frameworks with your <unmanaged_framework_value>.

i Time Event
> 7/22/20
5:34:09.000 PM
1595453646, search_name="AdHoc Risk Score", annotations="{\"example_attack\":[],\"example-net\":[\"nim\",\"butler\",\"koko\"]}", annotations._all="butler", annotations._all="nim", annotations._all="koko", annotations._frameworks="example-net", annotations.example-net="nim", annotations.example-net="butler", annotations.example-net="koko", creator="admin", description="test", info_max_time="+Infinity", info_min_time="0.000", risk_object="testuser", risk_object_type="user", risk_score="10.0"
Last modified on 29 January, 2021
Analyze risk in Splunk Enterprise Security
Create a glass table in

This documentation applies to the following versions of Splunk® Enterprise Security: 6.3.0 Cloud only, 6.4.0, 6.4.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters