Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Assign risk scores to assets and identities

This is the first step in the Isolate threats with risk-based alerting scenario.

Using Splunk Enterprise Security, Ram assigns risk scores to the assets and identities in the network environment. The risk scores show the relative risk of a device or user in the network environment over time and creates an extra layer of security-enriched data. The risk scores help to exponentially increase the number of detections because they let Ram calculate the risk within the environment posed by small events over time.

Ram now creates more meaningful and higher fidelity alerts, called risk notables, which increase visibility and reduce overall risk. The Risk Analysis dashboard displays these risk scores and other risk-related information. Enterprise Security indexes all risks as events in the risk index.

This screenshot displays the Risk Analysis dashboard.

Ram can add risk scores to a user, a system, or an object in multiple ways:

  • Using a custom correlation search
  • Specifying risk as an adaptive response action from the Incident Review page
  • Adding an ad hoc risk entry from the Risk Analysis dashboard
  • Assigning risk through a search

Next step

Generate risk notables using risk incident rules


See also

For more information on assigning risk, see the product documentation:

Modify a risk score with a risk modifier

Configure adaptive response actions

Create an adhoc risk entry.

Assign risk through a search

Risk Analysis in the Use Splunk Enterprise Security manual.

Last modified on 02 June, 2023
Isolate threats using risk-based alerting   Generate risk notables using risk incident rules

This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters