Create an ad hoc risk entry in Splunk Enterprise Security
Creating an ad-hoc risk entry allows you to make a manual, one-time adjustment to an object's risk score. You can use it to add a positive or negative number to the risk score of an object.
- Select Security Intelligence > Risk Analysis.
- Click Create Ad-hoc Risk Entry.
- Complete the form.
- Click Save.
Risk Modifiers | Description |
---|---|
Risk Score | The number added to a Risk object. Can be a positive or negative integer. |
Risk object | Text field. Wildcard with an asterisk (*) |
Risk object type | Drop-down: select to filter by. |
Use security framework annotations in an ad-hoc risk entry
Use annotations to add context from industry-standard mappings to your ad-hoc risk entry results. Only MITRE ATT&CK definitions are pre-populated for enrichment.
Annotations
Annotations are enriched with industry-standard context.
- Scroll to Annotations.
- Add annotations for the common framework names listed. These fields are for use with industry-standard mappings, but also allow custom values. Industry-standard mappings include values such as the following:
Security Framework Five Random Mapping Examples CIS 20 CIS 3, CIS 9, CIS 11, CIS 7, CIS 12 Kill Chain Reconnaissance, Actions on Objectives, Exploitation, Delivery, Lateral Movement MITRE ATT&CK T1015, T1138, T1084, T1068, T1085
This field also contains mitre technique names for you to select because they are pre-populated for enrichment.NIST PR.IP, PR.PT, PR.AC, PR.DS, DE.AE - Click Save.
Dashboard example
Consider MITRE ATT&CK annotations as an example. You see them in dashboards by ID, such as T1015, rather than by the technique name.
Unmanaged Annotations
Unmanaged annotations are not enriched with any industry-standard context.
- Scroll to Unmanaged Annotations.
- Click + Framework to add your own framework names and their mapping categories. These are free-form fields.
- Click Save.
Search example
Consider unmanaged annotations as an example. If you search the risk index directly, you see your unmanaged annotations.
index=risk
Search results
Unmanaged annotations display results as annotations._all
with your <unmanaged_attribute_value>
, and annotations._frameworks
with your <unmanaged_framework_value>
.
i | Time | Event |
---|---|---|
> | 7/22/20 5:34:09.000 PM |
1595453646, search_name="AdHoc Risk Score", annotations="{\"example_attack\":[],\"example-net\":[\"nim\",\"butler\",\"koko\"]}", annotations._all="butler", annotations._all="nim", annotations._all="koko", annotations._frameworks="example-net", annotations.example-net="nim", annotations.example-net="butler", annotations.example-net="koko", creator="admin", description="test", info_max_time="+Infinity", info_min_time="0.000", risk_object="testuser", risk_object_type="user", risk_score="10.0" |
Analyze risk in Splunk Enterprise Security | Create a glass table in |
This documentation applies to the following versions of Splunk® Enterprise Security: 6.3.0 Cloud only, 6.4.0, 6.4.1
Feedback submitted, thanks!