Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Run risk incident rules in Splunk Enterprise Security

As a detection engineer or security analyst, you can run risk incident rules to generate risk notables when the sum of risk scores for all risk events associated with a risk object reaches a certain threshold. Risk incident rules mine the risk index and aggregate the risk associated with risk objects such as assets and identities.

Follow these steps to run risk incident rules:

  1. In the Incident Review page, filter the correlation searches by risk and select the check box next to the default correlation searches to enable the default risk incident rules provided by Splunk Enterprise Security.
    As a beginner to RBA, you can use the default risk incident rules in Splunk Enterprise Security to learn how risk based alerting works. After you familiarize yourself with RBA, you can customize the default risk incident rules based on the requirements of your security environment.

    Disable all other correlation searches to avoid unnecessary data noise.

  2. Select the search time range and search schedule to run the risk incident rule.
    Use the following search timeline and schedule settings to balance your search performance, account for data lags, and set longer time frames to evaluate threat:
    • Earliest: -1h@h
    • Latest: @h
    • Schedule Cron: 07 * * * *
  3. Run the risk incident rule.

    Risk incident rules usually run once in an hour.

  4. Identify the adjustments that you need to make to the risk incident rule.
  5. Use the Correlation Search editor to adjust the risk scores and severity associated with the risk incident rule.
    You can also add dynamic severity to the search like in the following example:
    • For a risk score > 100 over 12 hours, Severity is Medium
    • For a risk score > 150 over 12 hours, Severity is High
    • For a risk score > 200 over 12 hours, Severity is Critical

    Do not overthink how to assign risk scores since the risk score of a single event matters less than the total number of events related to an individual object. When you assign risk scores to risk objects, you assign scores to individual events and the event scores get aggregated over time.

  6. Create a dynamic risk message for each risk incident rule.
    Make sure that the risk message is descriptive, yet concise and consistent.
    A risk message is an adaptive response action. Adding a custom risk message to a risk incident rule helps build detections based on specific information, such as risk scores.
  7. Assign risk to multiple objects with the Risk Analysis adaptive response action in the Correlation Search Editor. Specify risk scores, risk objects, risk object types, threat objects, threat object types.

    In Splunk Enterprise versions lower than 6.4.x, you can configure only a single risk object in a correlation search.

See also

For more information about risk based correlation searches and risk notables, see the product documentation.

How risk-based alerting works in Splunk Enterprise Security

How to create risk notables using Splunk Enterprise Security

Default risk incident rules in Splunk Enterprise Security

Risk notables in Splunk Enterprise Security

Change correlation search scheduling

Create a risk message to add context to your investigations

How to assign risk in Splunk Enterprise Security

Last modified on 12 April, 2023
Assign risk through a search in Splunk Enterprise Security   Default risk incident rules in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters