Splunk® Enterprise Security

Administer Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Use default risk factors in Splunk Enterprise Security

Use default risk factors designed for specific conditions to dynamically assign risk scores to risk objects and effectively isolate threats using Splunk Enterprise Security. Splunk Enterprise Security provides seven risk factors by default, which may be further customized based on your specific environment. You may also use these default risk factors as examples for guidance and create your own risk factors based on your environment.

All risk factors will be automatically displayed on the left panel of the Risk factor Editor. However, the default risk factors available in Enterprise Security will be disabled.

Following is the list of risk factors that are available on the app by default:

Number Risk factor Description
1 Admin User Increases the risk score of a user who has a privileged or administrative identity.
So, if "user_category" field matches regex value of "admin", risk factor is increased by a multiple of 1.5.
2 Contractor User Increases the risk score for a user who is a contractor.
So, if "user_category" field value is "contractor", risk score is increased by a sum of 5.
3 Critical Priority Destination Increases the risk score for critical destinations.
So, if "dest_priority" field value is "critical", risk factor is increased by a multiple of 1.5.
4 High Priority User Increases the risk score for high priority users.
So, if "user_priority" field value is "high", the risk factor is increased by a multiple of 1.25.
5 Watchlisted Priority User Increases the risk score for users on a watch list when the user is not on a priority list.
So, if "user_watchlist" field is equal to "true" and the "user_priority" is not equal to "low", risk factor is increased by a multiple of 1.5.
For more information on watchlists, see the Splunk Blogs post Using watchlists to your advantage.
6 Watchlisted User Increases the risk score for users on a watch list by a multiple of 1.5.
So, if "user_watchlist" is "true", risk factor is increased by a multiple of 1.5.
For more information on watchlists, see the Splunk Blogs post Using watchlists to your advantage.
Last modified on 19 January, 2022
Manage risk factors in Splunk Enterprise Security   Expand Content Management searches to view dependency and usage information in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters