Manage risk factors in Splunk Enterprise Security
Manage existing risk factors by monitoring them in Splunk Enterprise Security to track evolving security threats.
Risk factors are a set of rules or tuning factors on the basis of which risk scores may be dynamically calculated for a risk object or entity that may be an asset, identity, or a device. The "base" risk score is a value based on the correlation search or event that was created. Risk factors assign a "calculated" risk score based on the conditions specified in the metadata for the risk objects, like priority, category, user, asset, and so on. Finally, the "total risk score" is the sum of all calculated risk scores for a risk object within a specific time frame. Therefore, you must monitor and edit the list of existing risk factors in your deployment using the Risk Factors Editor.
Access the Risk Factor Editor to manage risk factors
- From the Enterprise Security menu, select Configure > Content > Content Management.
- (Optional) From the Type drop-down filter, select Risk Factors.
This sorts and displays the list of existing risk factors.
- From the Create New Content drop down, select Risk Factors.
This opens the Risk Factors Editor.
Use Splunk Enterprise Security Risk Factor Editor to perform the following actions:
- Identify existing list of risk factors in your deployment by viewing the list on the left pane editor.
- Search for specific risk factors by typing the name in the search bar on the left pane of the editor.
- Sort risk factors based on the name, the expression group, or the score of the risk factor. From the Sort By drop down menu in the left pane of the editor, select Name, Operation, or Risk Factor Value to display the sorted list of the risk factors.
- Display disabled risk factors by dragging the Show disabled button to the right in the left pane of the editor. This displays the list of disabled risk factors.
- Enable risk factors by right clicking on the Enable button from the drop down menu associated with the specific risk factor. Alternatively, you can enable any of the risk factors by dragging the Enable button for the specific risk factor in the center pane. This helps you to activate risk factors based on your requirements and evolving security threats over time.
- Delete risk factors by right clicking on the Delete button from the drop down menu associated with the specific risk factor.
- Clone risk factors by right clicking on the Clone button from the drop down menu associated with the specific risk factor.
Additionally, the right panel of the Risk Factors editor also displays the following information:
- Matching risk events based on specified conditions
- Similar risk factors to the one that is currently being edited
Create risk factors in Splunk Enterprise Security
Use default risk factors in Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2