Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

How to assign risk in Splunk Enterprise Security

You can assign or modify risk to an object using the following methods:

  • Create a risk analysis response action or risk modifier
  • Use a correlation search

You can dynamically assign risk scores based on the event types so that you can identify evolving threats in your security environment.

For example, you can assign a risk score of 0 to successful HTTP POST events that indicate the client's request was successfully received, understood, and accepted. You can assign a risk score of 20 for failed HTTP POST events as they are actions that were not performed. Similarly, you can assign a lower risk score to commands such as systeminfo, ipconfig, or netstat issues from a user account from another user's computer but still track them as a possible malicious event that might later become a risk notable.

Assign a risk score

To assign risk using Splunk Enterprise Security, choose one of the following methods:

See also

For more information about how best to use RBA in your security environment, see the product documentation.

How risk scores work in Splunk Enterprise Security

Last modified on 06 March, 2023
How risk-based alerting works in Splunk Enterprise Security   How risk scores work in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters