Create a risk message to add context for investigations
Add a risk message that provides context for the analyst during investigations.
Risk messages are unique messages to describe the risk activity and can use fields from the event surrounded by "$" such as: "Suspicious Activity to $domain$. Risk messages can help build detections based on specific information, such as risk scores, instead of merely relying on the Risk Analysis data model schema.
Follow these steps to create a risk message:
- In Splunk Enterprise Security, select Configure > Content > Content Management.
- Filter to display any risk incident rule.
- Select on the risk incident rule to open the Correlation Search Editor.
- Go to Adaptive Response Actions.
- Select Add New Response Action.
- Select the Risk Analysis adaptive response action from the list so that when the correlation search finds events, it creates risk events in the risk index.
- Enter a risk message. For example, "Possible Bypass of User Account Controls".
You can also add custom fields to the risk message using the$variable$
format. For example, the instance of$parent_process_name$spawning$process_name$
is an attempt to add a certificate to the store on endpoint$dest$
by user$user$
- Add risk modifiers by populating the following fields:
- Risk Score
- Risk Object Field
- Risk Object Type
- Select Save.
Adjust the risk threshold to avoid high alert volume | Integrate risk analysis between Splunk Enterprise Security and behavioral analytics service |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2
Feedback submitted, thanks!