Splunk® Enterprise Security

Administer Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Use default risk incident rules in Splunk Enterprise Security

Use default risk incident rules to run correlation searches that create adaptive response actions or generate notable events.

The following correlation searches use the default incident rules and are enabled in Splunk Enterprise Security:

1. The correlation search ATT&CK Tactic Threshold Exceeded for Object Over Previous 7 days creates notables when the number of MITRE tactics exceeds three over the last seven days i.e. tactic_count >=3 and source_count >=4.

| tstats `summariesonly` values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as tactic, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as tactic_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as technique, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as technique_count, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk by All_Risk.risk_object,All_Risk.risk_object_type | `drop_dm_object_name("All_Risk")` | where tactic_count >= 3 and source_count >= 4

2. The correlation search Risk Threshold Exceeded for Object Over 24 Hour Period.
creates notables when the risk score for an object exceeds 100 over the last 24 hours i.e. risk_score_sum > 100.

| tstats `summariesonly` sum(All_Risk.calculated_risk_score) as risk_score_sum, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as tactic, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as tactic_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as technique, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as technique_count, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk by All_Risk.risk_object,All_Risk.risk_object_type | where risk_score_sum > 100 | `drop_dm_object_name("All_Risk")` | eval severity=case(risk_score_sum>=100 and risk_score_sum<250, "medium", risk_score_sum>=250 and risk_score_sum<500, "high", risk_score_sum>=500, "critical")


You can also customize these correlation searches and edit them to change specific conditions. For example, you may want to increase the risk score threshold by 200 instead of 100 over the last 24 hours. For more information on editing correlation searches, see Edit correlation searches.

Last modified on 11 January, 2023
Turn on notables for correlation searches   Create sequence templates in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters