Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

How to assign risk in Splunk Enterprise Security

You can assign or modify risk to an object using the following methods:

  • Create a risk analysis response action or risk modifier
  • Use a correlation search

You can dynamically assign risk scores based on the event types so that you can identify evolving threats in your security environment.

For example, you can assign a risk score of 0 to successful HTTP POST events that indicate the client's request was successfully received, understood, and accepted. You can assign a risk score of 20 for failed HTTP POST events as they are actions that were not performed. Similarly, you can assign a lower risk score to commands such as systeminfo, ipconfig, or netstat issues from a user account from another user's computer but still track them as a possible malicious event that might later become a risk notable.

Assign a risk score

To assign risk using Splunk Enterprise Security, choose one of the following methods:

See also

For more information about how best to use RBA in your security environment, see the product documentation.

How risk scores work in Splunk Enterprise Security

Last modified on 06 March, 2023
PREVIOUS
How risk-based alerting works in Splunk Enterprise Security 		  NEXT
How risk scores work in Splunk Enterprise Security

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters