Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Increase risk factors to identify unauthorized usage

This is the fourth step in the Isolate user behaviors that pose threats with risk-based alerting scenario.

When Ram used Splunk Enterprise Security versions lower than 6.4, Ram took multiple steps to adjust risk scores and track anomalous behavior from high risk users. With Splunk Enterprise Security versions 6.4 and higher, Ram creates risk factors to multiply or reduce the risk associated with specific users.

Ram uses risk factors to dynamically adjust risk scores based on the behavior of high risk users.

Organizations might have high risk users due to any of the following reasons:

  • A reduction in workforce
  • Work on a sensitive project
  • Employee being put on a performance improvement plan (PIP).

Before Splunk Enterprise Security version 6.4

Earlier, Ram used the eval command to dynamically adjust the risk scores to create meaningful risk scores based on the user information in the Active Directory of Buttercup Games as follows:

  1. Ram raised the risk scores by 20 for users with specific job titles such as CEO, CFO, COO, and Executive Vice President using the following search:

    | eval risk_score = if (in (user_prop, "CEO", "CFO", "COO", "Executive Vice President"), risk_score + 20, risk_score)

  2. The, Ram raised risk scores by 10 based on whether the total high value file count is greater than 1 but less than or equal to 50 using the following search:

    | eval risk_score = if (total_hvf >= 1 AND total_hvf <=50, risk_score +10, risk_score)

Though the eval command helped Ram to modify risk scores based on specific criteria, Ram had to create multi-step SPL searches, which was not the most optimal use of time.

After Splunk Enterprise Security version 6.4

After upgrading to Splunk Enterprise Security version 6.4, Ram uses the Risk Factor Editor to dynamically adjust risk scores . Now, Ram multiplies or reduces the risk score based on the characteristics of the specific asset or identity by selecting specific conditions using the Risk Factor Editor. This helps Ram to surface suspicious behavior based on field values in the risk index without creating new searches. For example: Ram increases the risk score by a factor of two on a laptop that belongs to a director at Buttercup Games.

Alternatively, Ram can also customize to adjust the risk scores in the network environment by using the default risk factors in Splunk Enterprise Security to experiment with assigning risk effectivley. All risk factors though disabled are automatically displayed on the Risk Factor Editor. So, Ram can use the default High Priority User risk factor to increase the risk score for high priority users. So, if the value of the user_priority field is "high", Ram sets the the risk factor to multiply by 1.25.

Next step

Use the Risk Analysis dashboard to monitor high risk user behavior

See also

For more information on risk factors, see the product documentation:

Create risk factors

Manage risk factors

Use default risk factors

Access the Risk Factor Editor to manage risk factors

Last modified on 02 June, 2023
Modify risk scores using the where command   Use the Risk Analysis dashboard to monitor high risk user behavior

This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters