Generate risk notables using correlation searches
Ram configures a default correlation search in Enterprise Security to generate notables that match certain risk score thresholds or risk conditions and then, classifies them based on risk level.
Correlation searches can search for a conditional match based on the risk score assigned to the assets and identities. Assets and identities are the devices and user objects in the network environment. When the correlation search finds a match, it generates a risk alert as a notable event, a risk modifier, or both.
- From the home page of Splunk Enterprise Security, Ram selects Configure > Content > Content Management.
- Ram sorts the list of searches by Correlation Search, to view all existing correlation searches.
- Ram clicks the default correlation search called Risk Notable: Risk Threshold Exceeded For Risk Object Over 24 Hour Period, which leverages the risk data model. The search opens in the Edit Correlation Search window. This default correlation search helps Ram to identify only those notables whose risk threshold has been exceeded within the previous 24 hours.
- Using this correlation search, Ram classifies notables into various risk categories.
If the risk score for an object exceeds 100 over the last 24 hours, the risk_score_sum value is greater than 100. If the risk score is less than 250, Ram classifies the notables in the medium risk category. If the risk score is less than 500, Ram classifies the notables in the high risk category. If the risk score is greater than or equal to 500, Ram classifies the notables in the critical risk category. Classifying the notables helps Ram to prioritize the investigation effort on the critical notables and minimize threat.
- Ram can also customize the Splunk Processing Language (SPL) of the correlation search to change specific conditions. For example, if Ram wants to identify risk objects that have a risk score threshold of 200 instead of 100 over the last 24 hours. Leveraging the risk data model and creating risk notables based on MITRE ATT&CK tactics and techniques allows Ram to search through risk events that created the notable.
Following is an example SPL search that Ram can customize to specify risk conditions and adjust risk scores:
|from datamodel:"Risk.All_Risk"|search source="*- RR - *" |lookup system_or_service_users_ignore user as risk_object|search NOT comment=* |stats values(risk_object_type) as risk_object_type values(annotations.mitre_attack.mitre_tactic) as mitre_tactic dc(annotations.mitre_attack.mitre_tactic) as mitre_tactic_count values(annotations.mitre_attack.mitre_technique) as mitre_technique values(source) as source dc(source) as source_count sum(calculated_risk_score) as risk_score_sum values(threat_object_type) as threat_object_type min(_time) as _time by risk_object |where risk_score_sum > 100 |rex field=source "\w+ - RR - (?<source_short>.*) - \w+ - Rule" | eval severity=case(risk_score_sum<100,"low", risk_score_sum<250,"medium", risk_score_sum<500,"high", risk_score_sum>=500,"critical")
In this SPL:
- The lookup
system_or_service_users_ignorehelps to focus the search to generate risk notables based on specific risk objects and ignore system or service accounts or users.
statscommand calculates statistics based on specified fields and returns search results. This helps to identify the information that will be included in the risk notable to help the analyst.
wherecommand specifies the constraint of the search and identify risk objects that have an aggregate risk score, which is greater than 100.
rexcommand extracts fields using regular expression. For example, here the
rexcommand identifies the risk notable or risk rule based on its naming convention.
RR - (?<source_short>.*) - \w+ - Rule. Example of the naming convention used by risk rules or risk notables in Splunk Enterprise Security: "RR-Access Additional Cloud Credentials in Azure-User" or "RR-Add User to Administrator Group in Azure-User".
evalcommand creates new fields in your events by using existing fields and an arbitrary expression. Here, the
evalcommand classifies risk events based on their risk score and categorizes them by "medium", "high", or "critical" risk categories.
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1
Feedback submitted, thanks!