Splunk® Enterprise Security

Administer Splunk Enterprise Security

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Use default risk incident rules in Splunk Enterprise Security

Use default risk incident rules to run correlation searches that create adaptive response actions or generate notable events.

The following correlation searches use the default incident rules and are enabled in Splunk Enterprise Security:

1. The correlation search ATT&CK Tactic Threshold Exceeded for Object Over Previous 7 days creates notables when the number of MITRE tactics exceeds three over the last seven days i.e. tactic_count >=3 and source_count >=4.

| tstats `summariesonly` values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as tactic, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as tactic_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as technique, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as technique_count, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk by All_Risk.risk_object,All_Risk.risk_object_type | `drop_dm_object_name("All_Risk")` | where tactic_count >= 3 and source_count >= 4

2. The correlation search Risk Threshold Exceeded for Object Over 24 Hour Period.
creates notables when the risk score for an object exceeds 100 over the last 24 hours i.e. risk_score_sum > 100.

| tstats `summariesonly` sum(All_Risk.calculated_risk_score) as risk_score_sum, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as tactic, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as tactic_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as technique, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as technique_count, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk by All_Risk.risk_object,All_Risk.risk_object_type | where risk_score_sum > 100 | `drop_dm_object_name("All_Risk")` | eval severity=case(risk_score_sum>=100 and risk_score_sum<250, "medium", risk_score_sum>=250 and risk_score_sum<500, "high", risk_score_sum>=500, "critical")


You can also customize these correlation searches and edit them to change specific conditions. For example, you may want to increase the risk score threshold by 200 instead of 100 over the last 24 hours. For more information on editing correlation searches, see Edit correlation searches.

Last modified on 05 March, 2021
PREVIOUS
Enable notables for correlation searches
  NEXT
Create sequence templates in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters