Create risk factors in Splunk Enterprise Security
Create risk factors to adjust risk scores for risk objects so that you can effectively isolate threats using Splunk Enterprise Security by mapping out the risk in the environment.
Specifying conditions to dynamically adjust risk scores simplifies the threat investigation process by helping to prioritize suspicious behavior. Risk factors increase the risk scores in your environment based on specific conditions. Previously risk scores were assigned equally to all systems and users. Using risk factors, you may adjust the risk scores without creating new searches. For example: You may increase the risk score by a factor of two on a laptop that may be targeted if it belongs to a director instead of an employee.
You can also use Splunk Enterprise Security to add an adaptive response and create risk objects for your correlation searches. However, when you use adaptive responses to create risk objects, they are based on a risk score that is assigned at the user's discretion and are fixed values. Therefore, using risk factors helps the risk scores to be more precise based on threat. For more information on creating risk objects, see Create risk objects in Splunk Enterprise Security.
All values that you input through the Risk Factor Editor are saved in the risk_factors.conf
configuration file by default.
How the risk factor scoring works
When you create risk factors, check the formula to understand how the risk factors are calculated so that they work as expected and do not inflate the risk scores.
For example, if you have four matching risk factors for a correlation search with a base score of 5 and two of the rules multiple by 2. One rule adds five and the other one adds 6.
Here is how the risk framework calculates your risk factor:
(base_score + 5 + 6) = 16;
16x 2 x 2 = 64.
In this example, your risk factor is 64.
You may add or multiply the original risk score, though addition factors are always applied before the multiplication factors based on the order of operations.
Create a new risk factor
You have the option of creating a risk factor and then disabling it by dragging on the Enable button to the left. To enable a risk factor for your deployment, you may drag the Enable button to the right.
You can identify the fields that you want to include in the risk factor by checking the events in the risk index or verifying matching events in the right panel of the Risk Factor Editor. However, for risk events that only have the fields "risk_object" and "risk_object_type" instead of "dest" or "src", you must check the fields for assets and identities that have the prefix "risk_object_". For example: The "priority" field will be displayed in "risk_object_priority" under assets and identities.
Prerequisites
- Knowledge of the risk index for correlation searches so that you can specify the appropriate conditions to create risk factors.
- Preview the risk events that match your conditions prior to saving risk factors.
- You must have the
edit_risk_factor
capability to create or make changes to the risk factors using the UI. For more information on adding capabilities to roles, see Add capabilities to a role.
Steps
- From the Enterprise Security menu, select Configure > Content > Content Management.
- (Optional) From the Type drop-down filter, select Risk Factors.
This sorts and displays the list of existing risk factors. - From the Create New Content drop down, select Risk Factors.
This opens the Risk Factors Editor. - Click on the Add Risk Factor button in the left pane.
- In the center pane, add the following information to create the new risk factor.
- In the Name field, type the name of the new risk factor.
- In the Description field, provide a description for the new risk factor.
- In the Operation drop down, select one of the following options: Addition or Multiplication.
Selecting the operation enables you to modify the original risk score. You may add or multiply the original risk score, though addition factors are always applied before the multiplication factors based on the order of operations. - In the Factor field, assign a numerical value for the risk factor.
The number that you specify in the Factor field is not an arbitrary value, but is based on the conditions that you specify in the Conditions panel in the next step.
- In the Conditions panel, specify the criteria on which you want to base the value of your risk factor. For example, if the event field "Owner" contained the phrase "admin", you may want to multiply the risk score by 10.
Setting conditions enables you to dynamically generate a value for the risk factor based on evolving situations and easily identify the threat associated with a risk object. If the risk factor meets the conditions specified, the threat level for the risk object may be proportionally increased or decreased. To set simple conditions, see Set basic conditions to assign risk scores.
To set advanced conditions, see Set advanced conditions to assign risk scores. - Click Save to save your changes.
Set basic conditions to assign risk scores
Use the following steps to set conditions based on the event field and value and assign an appropriate score for the risk object.
Steps
- In the Conditions panel of the Risk Factor Editor, click on the Basic tab.
- In the Risk Event Field, type a value for the event field against which you want to assign a risk factor.
- In the Risk Event Value field, type a value against which you want to compare the event field. The value may be a static value or the name of another field.
- Click Save to save your changes.
Set up Advanced conditions instead of Basic conditions for your risk factors if you want to use wildcard searches.
Set advanced conditions to assign risk scores
You may set multiple conditions when creating risk factors by clicking on the + icon. Adding multiple conditions enables you to create more targeted risk factors. You also have the option of removing conditions by clicking the Remove button associated with the specific risk factor.
Use the following steps to set conditions based on the relationship specified between the event field and value and assign an appropriate value for the risk factor.
Steps
- In the Conditions pane of the Risk Factor Editor, click on the Advanced tab.
- In the Risk Event Field, type a value for the event field against which you want to assign a risk factor. For example:
user_category
orasset_category
.
- From the Comparator drop down menu, select the comparison parameter to specify the relationship between the risk event field and value.
Following list indicates the possible options for comparator values:
- is equal to
- is not equal to
- matches regex
- like
- is greater than or equal
- is less than or equal
- is greater than
- is less than
- Slide the Compare against field button to select or deselect the option of comparing the event field against a value.
Enabling the Compare against field button allows you to use the Value field as a field name instead of a static string. - In the Value field, type the value against which you want to compare the event field. The value may be a static value or the name of another field.
- Click Save to save your changes.
Use the "like" or the "regex" comparator to set up wildcard searches as the adaptive response action. For more information on the like conditional function, see like. For more information on the match regex function, see match.
Use preview to verify the risk factor conditions
Use the preview option in the center pane of the Risk Factor Editor to verify how the conditions and comparators will apply to a risk factor.
To learn how the "like" comparator applies to the risk factors, access the Conditions pane of the Risk Factor Editor and click on the Advanced tab. Type in a value for the Risk Event Field, select "like" from the Comparator drop down menu, and type in the value for the risk factor in the Value field. You can now see how the search appears in the Preview field. For example: if(like('riskobject',"bennay"), 0.0)
You may also check the right panel of the Risk Factor Editor to identify how many events match the conditions you added to the risk factor and then, use search to verify if the risk factor displays the events to which you want to apply the risk factor.
Write conditions against asset and identity fields
If you write conditions against asset and identity fields for risk events, enable correlation by sourcetype and add the sourcetype name of stash. Alternately, you can enable correlation for all sourcetypes. For example, if you write a condition for an asset with src_bunit=emea, the src_bunit field is an asset field that is automatically provided if the correlation and the lookup are enabled.
For more information about correlation setup, see Manage correlation setup in Splunk Enterprise Security.
For more information about lookup configuration, see Manage asset lookup configuration policies in Splunk Enterprise Security.
Troubleshoot upgrade issues with risk factors
Issue
Upgrading Splunk Enterprise Security might not update the Risk data model Risk.json
file and display the following error message: Error in "DataModelEvaluator". JSON for datamodel risk is invalid.
Cause
Edits to the risk factors using the Risk Factor editor modifies the risk_factors.conf
configuration file and creates a local copy of the Risk data model on each of the Enterprise Security search head cluster members when the deployer pushes the updated risk data model. The local copy of the Risk data model /opt/splunk/etc/apps/SA-ThreatIntelligence/local/data/models/Risk.json
might be different from the default copy of the Risk data model /opt/splunk/etc/apps/SA-ThreatIntelligence/default/data/models/Risk.json
.
Solution
On-prem:
Delete the local copy of the Risk.json
file. Restart the search head cluster.
Ensure that all risk factors, if customized, are available in the Risk.json
file.
On Cloud:
Contact Splunk Support and file a ticket on the Splunk Support Portal. See Support and Services.
Splunk Support helps to remove the local copy from all the members of the search head cluster. Splunk Support copies the default file /opt/splunk/etc/apps/SA-ThreatIntelligence/default/data/models/Risk.json
from an updated Enterprise Security instance and overwrites the local copy /opt/splunk/etc/apps/SA-ThreatIntelligence/local/data/models/Risk.json
.
Create risk and edit risk objects in Splunk Enterprise Security | Manage risk factors in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.0, 7.0.1, 7.0.2
Feedback submitted, thanks!