Splunk® Enterprise Security

Use Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Create an ad hoc risk entry in Splunk Enterprise Security

Creating an ad-hoc risk entry allows you to make a manual, one-time adjustment to an object's risk score. You can use it to add a positive or negative number to the risk score of an object.

  1. Select Security Intelligence > Risk Analysis.
  2. Click Create Ad-hoc Risk Entry.
  3. Complete the form.
  4. Click Save.
Risk Modifiers Description
Risk Score The number added to a Risk object. Can be a positive or negative integer.
Risk object Text field. Wildcard with an asterisk (*)
Risk object type Drop-down: select to filter by.

Add a threat object to an ad hoc risk entry in Splunk Enterprise Security

You may add threat objects to an adhoc risk entry to correlate threat objects with risk events and make adjustments to the risk score.

  1. Select Security Intelligence > Risk Analysis.
  2. Click Create Ad-hoc Risk Entry.
  3. make adjustments to the form as required.
  4. Populate the Threat Object and the Threat Object Type fields.
  5. Click Save.
Threat Objects Description
Threat Object Specify a threat object that poses a threat to the environment, including a command or a script that you must run. For example: payload
Threat Object Type Type of the threat object. For example: file_hash

Use security framework annotations in an ad-hoc risk entry

Use annotations to add context from industry-standard mappings to your ad-hoc risk entry results. Only MITRE ATT&CK definitions are pre-populated for enrichment.


Annotations
Annotations are enriched with industry-standard context.

  1. Scroll to Annotations.
  2. Add annotations for the common framework names listed. These fields are for use with industry-standard mappings, but also allow custom values. Industry-standard mappings include values such as the following:
    Security FrameworkFive Random Mapping Examples
    CIS 20CIS 3, CIS 9, CIS 11, CIS 7, CIS 12
    Kill Chain Reconnaissance, Actions on Objectives, Exploitation, Delivery, Lateral Movement
    MITRE ATT&CKT1015, T1138, T1084, T1068, T1085
    This field also contains mitre technique names for you to select because they are pre-populated for enrichment.
    NISTPR.IP, PR.PT, PR.AC, PR.DS, DE.AE
  3. Click Save.

Dashboard example
Consider MITRE ATT&CK annotations as an example. You see them in dashboards by ID, such as T1015, rather than by the technique name.


Unmanaged Annotations
Unmanaged annotations are not enriched with any industry-standard context.

  1. Scroll to Unmanaged Annotations.
  2. Click + Framework to add your own framework names and their mapping categories. These are free-form fields.
  3. Click Save.

Search example
Consider unmanaged annotations as an example. If you search the risk index directly, you see your unmanaged annotations.

index=risk

Search results
Unmanaged annotations display results as annotations._all with your <unmanaged_attribute_value>, and annotations._frameworks with your <unmanaged_framework_value>.

i Time Event
> 7/22/20
5:34:09.000 PM
1595453646, search_name="AdHoc Risk Score", annotations="{\"example_attack\":[],\"example-net\":[\"nim\",\"butler\",\"koko\"]}", annotations._all="butler", annotations._all="nim", annotations._all="koko", annotations._frameworks="example-net", annotations.example-net="nim", annotations.example-net="butler", annotations.example-net="koko", creator="admin", description="test", info_max_time="+Infinity", info_min_time="0.000", risk_object="testuser", risk_object_type="user", risk_score="10.0"
Last modified on 22 November, 2021
Analyze risk in Splunk Enterprise Security   Create a glass table in

This documentation applies to the following versions of Splunk® Enterprise Security: 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters