Splunk® Enterprise Security

Administer Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Manage risk factors in Splunk Enterprise Security

Manage existing risk factors by monitoring them in Splunk Enterprise Security to track evolving security threats.

Risk factors are a set of rules or tuning factors on the basis of which risk scores may be dynamically calculated for a risk object or entity that may be an asset, identity, or a device. The "base" risk score is a value based on the correlation search or event that was created. Risk factors assign a "calculated" risk score based on the conditions specified in the metadata for the risk objects, like priority, category, user, asset, and so on. Finally, the "total risk score" is the sum of all calculated risk scores for a risk object within a specific time frame. Therefore, you must monitor and edit the list of existing risk factors in your deployment using the Risk Factors Editor.

Access the Risk Factor Editor to manage risk factors

  1. From the Enterprise Security menu, select Configure > Content > Content Management.
  2. (Optional) From the Type drop-down filter, select Risk Factors.
    This sorts and displays the list of existing risk factors.
  3. From the Create New Content drop down, select Risk Factors.
    This opens the Risk Factors Editor.

Use Splunk Enterprise Security Risk Factor Editor to perform the following actions:

  • Identify existing list of risk factors in your deployment by viewing the list on the left pane editor.
  • Search for specific risk factors by typing the name in the search bar on the left pane of the editor.
  • Sort risk factors based on the name, the expression group, or the score of the risk factor. From the Sort By drop down menu in the left pane of the editor, select Name, Operation, or Risk Factor Value to display the sorted list of the risk factors.
  • Display disabled risk factors by dragging the Show disabled button to the right in the left pane of the editor. This displays the list of disabled risk factors.
  • Enable risk factors by right clicking on the Enable button from the drop down menu associated with the specific risk factor. Alternatively, you can enable any of the risk factors by dragging the Enable button for the specific risk factor in the center pane. This helps you to activate risk factors based on your requirements and evolving security threats over time.
  • Delete risk factors by right clicking on the Delete button from the drop down menu associated with the specific risk factor.
  • Clone risk factors by right clicking on the Clone button from the drop down menu associated with the specific risk factor.

Additionally, the right panel of the Risk Factors editor also displays the following information:

  • Matching risk events based on specified conditions
  • Similar risk factors to the one that is currently being edited
Last modified on 22 November, 2021
Create risk factors in Splunk Enterprise Security   Use default risk factors in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters