Adjust risk scores for specific objects
Ram uses risk factors to adjust risk scores for specific risk objects to more effectively map out the risk in his security environment and simplify the threat investigation process to prioritize suspicious behavior. Risk factors increase the risk scores based on specific conditions without creating new searches. For example, Ram can increase the risk score by a factor of two on a laptop that might be targeted if it belongs to a director instead of an employee. Risk factors are calculated based on a formula.
Ram can also use the default risk factors designed for specific conditions to dynamically assign risk scores to risk objects and effectively isolate threats using Splunk Enterprise Security. Splunk Enterprise Security provides seven risk factors by default, which can be further customized based on Ram's specific environment. Ram can also use these default risk factors as examples for guidance and create his own risk factors based on his environment.
- Ram can modify the score of a risk object based on tactic, user, src, dest, and threat object. For more information on creating risk factors, see Create risk factors in Splunk Enterprise Security.
- From the Enterprise Security menu, Ram selects Configure > Content > Content Management.
- From the Create New Content drop-down list, Ram selects Risk Factor, which opens the Risk Factor Editor.
- Ram then clicks the default risk factor, Watchlisted User.
This default risk factor increases the risk score for users on a watch list by a multiple of 1.5. So, if user_watchlist
is true
, the risk factor is increased by a multiple of 1.5. Ram can include all the directors on the watchlist.
Now Ram is able to mitigate risk successfully by using risk factors that dynamically modify risk scores based on specific conditions and keep Buttercup Games safe from security threats.
Learn more
Add a risk message and a risk score to a notable | Reduce alert volumes by triaging notables |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.0
Feedback submitted, thanks!