Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Manage risk factors to track evolving security threats in Splunk Enterprise Security

Manage existing risk factors in Splunk Enterprise Security to track evolving security threats. You can monitor and edit existing risk factors in your deployment using the Risk Factor Editor.

Access the Risk Factor Editor to manage risk factors

  1. From the Splunk Enterprise Security menu, select Configure > Content > Content Management.
  2. (Optional) From the Type list filter, select Risk Factors.
    This sorts and displays the list of existing risk factors.
  3. From the Create New Content list, select Risk Factors.
    This opens the Risk Factor Editor.

Use Splunk Enterprise Security Risk Factor Editor for the following actions:

  • Identify existing list of risk factors in your deployment by viewing the list displayed on the Risk factor Editor.
  • Search for specific risk factors by entering the name in the search bar on the left pane of the editor.
  • Sort risk factors based on the name, the expression group, or the score of the risk factor. From the Sort By menu in the editor, select Name, Operation, or Value to display the sorted list of the risk factors.
  • Display disabled risk factors by toggling the Show disabled button. This displays the list of disabled risk factors.
  • Enable risk factors by toggling the Enable button for the specific risk factor. Alternatively, you can enable any of the risk factors by dragging the Enable button for the specific risk factor in the center pane. You can activate risk factors based on your requirements and evolving security threats over time.
  • Delete risk factors by selecting the Delete button from the menu associated with the specific risk factor.
  • Clone risk factors by selecting the Clone button from the menu associated with the specific risk factor.
  • View matching risk events based on specified conditions or risk factors that are similar to the one you are editing in the right panel of the Risk Factor editor.

See also

For more information about risk factors, see the product documentation.

Create risk factors in Splunk Enterprise Security

Use default risk factors for guidance to create risk factors in Splunk Enterprise Security

Troubleshoot upgrade issues with risk factors

Customizing risk factors by applying conditions to data fields

Last modified on 29 March, 2023
Create risk factors to adjust risk scores in Splunk Enterprise Security   Default risk factors in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters