Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Create a risk message to add context for investigations

Add a risk message that provides context for the analyst during investigations.

Risk messages are unique messages to describe the risk activity and can use fields from the event surrounded by "$" such as: "Suspicious Activity to $domain$. Risk messages can help build detections based on specific information, such as risk scores, instead of merely relying on the Risk Analysis data model schema.

Follow these steps to create a risk message:

  1. In Splunk Enterprise Security, select Configure > Content > Content Management.
  2. Filter to display any risk incident rule.
  3. Select on the risk incident rule to open the Correlation Search Editor.
  4. Go to Adaptive Response Actions.
  5. Select Add New Response Action.
  6. Select the Risk Analysis adaptive response action from the list so that when the correlation search finds events, it creates risk events in the risk index.
  7. Enter a risk message. For example, "Possible Bypass of User Account Controls".
    You can also add custom fields to the risk message using the $variable$ format. For example, the instance of $parent_process_name$spawning$process_name$ is an attempt to add a certificate to the store on endpoint $dest$ by user $user$
  8. Add risk modifiers by populating the following fields:
    • Risk Score
    • Risk Object Field
    • Risk Object Type
  9. Select Save.
Last modified on 12 April, 2023
Adjust the risk threshold to avoid high alert volume   Integrate risk analysis between Splunk Enterprise Security and behavioral analytics service

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters