Create an ad hoc risk entry in Splunk Enterprise Security
Creating an ad-hoc risk entry allows you to make a manual, one-time adjustment to an object's risk score. You can use it to add a positive or negative number to the risk score of an object.
- Select Security Intelligence > Risk Analysis.
- Click Create Ad-hoc Risk Entry.
- Complete the form.
- Click Save.
Risk Modifiers | Description |
---|---|
Risk Score | The number added to a Risk object. Can be a positive or negative integer. |
Risk object | Text field. Wildcard with an asterisk (*) |
Risk object type | Drop-down: select to filter by. |
Add a threat object to an ad hoc risk entry in Splunk Enterprise Security
You may add threat objects to an adhoc risk entry to correlate threat objects with risk events and make adjustments to the risk score.
- Select Security Intelligence > Risk Analysis.
- Click Create Ad-hoc Risk Entry.
- Make adjustments to the form as required.
- Populate the Threat Object and the Threat Object Type fields.
- Click Save.
Threat Objects | Description |
---|---|
Threat Object | Specify a threat object that poses a threat to the environment, including a command or a script that you must run. For example: payload
|
Threat Object Type | Type of the threat object. For example: file_hash
|
Use security framework annotations in an ad-hoc risk entry
Use annotations to add context from industry-standard mappings to your ad-hoc risk entry results. Only MITRE ATT&CK definitions are pre-populated for enrichment.
Annotations
Annotations are enriched with industry-standard context.
- Scroll to Annotations.
- Add annotations for the common framework names listed. These fields are for use with industry-standard mappings, but also allow custom values. Industry-standard mappings include values such as the following:
Security Framework Five Random Mapping Examples CIS 20 CIS 3, CIS 9, CIS 11, CIS 7, CIS 12 Kill Chain Reconnaissance, Actions on Objectives, Exploitation, Delivery, Lateral Movement MITRE ATT&CK T1015, T1138, T1084, T1068, T1085
This field also contains mitre technique names for you to select because they are pre-populated for enrichment.NIST PR.IP, PR.PT, PR.AC, PR.DS, DE.AE - Click Save.
Dashboard example
Consider MITRE ATT&CK annotations as an example. You see them in dashboards by ID, such as T1015, rather than by the technique name.
Unmanaged Annotations
Unmanaged annotations are not enriched with any industry-standard context.
- Scroll to Unmanaged Annotations.
- Click + Framework to add your own framework names and their mapping categories. These are free-form fields.
- Click Save.
Search example
Consider unmanaged annotations as an example. If you search the risk index directly, you see your unmanaged annotations.
index=risk
Search results
Unmanaged annotations display results as annotations._all
with your <unmanaged_attribute_value>
, and annotations._frameworks
with your <unmanaged_framework_value>
.
i | Time | Event |
---|---|---|
> | 7/22/20 5:34:09.000 PM |
1595453646, search_name="AdHoc Risk Score", annotations="{\"example_attack\":[],\"example-net\":[\"nim\",\"butler\",\"koko\"]}", annotations._all="butler", annotations._all="nim", annotations._all="koko", annotations._frameworks="example-net", annotations.example-net="nim", annotations.example-net="butler", annotations.example-net="koko", creator="admin", description="test", info_max_time="+Infinity", info_min_time="0.000", risk_object="testuser", risk_object_type="user", risk_score="10.0" |
Analyze risk in Splunk Enterprise Security | Introduction to the dashboards available in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2
Feedback submitted, thanks!