How risk scores work in Splunk Enterprise Security
Use risk scores to calculate the risk of events in Splunk Enterprise Security. A risk score is a single metric that shows the relative risk of an asset or identity such as a device or a user in your network environment over time. Splunk Enterprise Security classifies a device as a
system, a user as a
user, and unrecognized devices or users as
Use the Risk Analysis dashboard to display risk scores and other risk-related information. Splunk Enterprise Security indexes all risks as events in the
risk index. To access the Risk Analysis dashboard from your Splunk Enterprise Security app, go to Security Intelligence > Risk Analysis. You can also drill down to investigate risk events and view the associated risk scores using the Risk Timeline visualization.
For more information on the Risk Analysis dashboard, see Risk Analysis in the Use Splunk Enterprise Security manual.
How Splunk Enterprise Security assigns risk scores
Splunk Enterprise Security uses correlation searches to correlate machine data with known threats. Risk-based alerting (RBA) applies the data from assets and identities, which comprises the devices and user objects in a network environment, to events at search time to enrich the search results. Correlation searches search for a conditional match to a question.
When the correlation search finds a match, it generates an alert as a notable event, a risk modifier, or both, which might indicate a threat. A notable event becomes a task. You must assign, review, or close this event. A risk modifier becomes a number. This event adds to the risk score of a device or user object.
A risk score is a single metric that shows the relative risk of a device or user object in the network environment over time. These objects are also known as risk objects. A risk object represents a
user, or an unspecified
Colors are used to distinguish between the levels of risk. A risk score of 0-25 is represented by a yellow badge, 25-50 is orange, 50-75 is light red, and a risk score above 75 is dark red.
Splunk Enterprise Security might initially score some of the risk events too high in the early stages of your RBA journey. However, as you manage your risk ecology, it gets easier to tune your risk-based correlation searches and score risk events appropriately. RBA assigns risk scores based on both the impact and confidence of a risk event. For example: If a detection such as "Any PowerShell DownloadString" has an impact score of 80 and a confidence score of 70, Splunk Enterprise Security assigns it a risk score of 56. Over time, as you run the risk-based correlation search, you might discover that some of the risk events indicate expected behavior in your security environment. In such cases, you can apply less risk to those events instead of lowering the overall risk score.
Example: Risk scoring
Host 192.0.2.2 is a system that generates several notable events. The correlation search for Personally Identifiable Information Detected creates five notable events per day for that system.
The following tables display how risk scoring is displayed on the Risk Analysis dashboard in the Risk Score by Object and Most Active Sources panels for the last 7 days by default, for a host that has a risk score of 480.0 i
|Audit - Personally Identifiable Information Detection - Rule||480.0||1||6|
Since 192.0.2.2 is a test server, this behavior might not seem important. However, instead of ignoring or suppressing notable events generated by test servers, you can create specific rules to monitor those servers differently.
You can create a correlation search that assigns a risk modifier instead of creating a notable event, when the correlation matches hosts that serve as test servers.
- Exclude test servers from the existing correlation searches using an allow list. See Allowlist events in Administer Splunk Enterprise Security for more information.
- Create and schedule a new correlation search based on the Personally Identifiable Information Detected search but include the list of test server hosts and assign only a risk analysis adaptive response action.
- Verify that you apply the risk modifiers to the test server hosts by raising their risk score incrementally. The new correlation search does not create notable events for those hosts based on personally identifiable information.
As the relative risk score goes up, you can compare 192.0.2.2 to similar test servers. If the relative risk score for 192.0.2.2 exceeds its peers, you can investigate that host. If the risk scores of similar test servers are higher relative to others, you might need to review an internal security policy or implement the security policy differently. See the Risk Analysis With Enterprise Security 3.1 blog post for additional examples.
Score ranges for risk
Risk scoring offers a way to capture and aggregate the activities of an asset or identity into a single metric using risk modifiers.
The correlation searches included in Splunk Enterprise Security assign a risk score between 20 and 100 depending on the relative severity of the activity found in the correlation search. The searches scope the default scores to a practical range. This range does not represent an industry standard. Splunk Enterprise Security does not define an upper limit for the total risk score of an identity or asset.
Risk score levels use the same naming convention as event severity. You can assess relative risk scores by comparing hosts with similar roles and asset priority.
- 20 - Info
- 40 - Low
- 60 - Medium
- 80 - High
- 100 - Critical
Administrators can edit correlation searches to modify the risk score that the risk analysis response action assigns to an object. See Modify a risk score with a risk modifier.
For more information about how best to use RBA in your security environment, see the product documentation.
How risk-based alerting works in Splunk Enterprise Security
How risk modifiers impact risk scores in Splunk Enterprise Security
Modify a risk score with a risk modifier in Splunk Enterprise Security
Included adaptive response actions with Splunk Enterprise Security in Administer Splunk Enterprise Security.
How to assign risk in Splunk Enterprise Security
How to create risk notables using Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1
Feedback submitted, thanks!