How risk objects impact risk scores in Splunk Enterprise Security
A risk object refers to any asset, identity, user, or device in your security environment that can be used by Splunk Enterprise Security to identify potential security threats. As an administrator, you can create risk objects to categorize anything to which you assign a risk score. For example, you might categorize a laptop as a system
risk object type and an identity as a user
risk object type.
When a risk object generates an event that is a potential threat, the risk modifier associated with the risk object increases the risk score of the object. When a risk incident rule finds a risk object associated with several risk events, the risk incident rule creates risk notables in Splunk Enterprise Security.
Only a few key fields create a risk notable, which include: risk_object
and risk_object_type
fields.
Risk object field
The risk_object
field is a reference to a search field returned by a correlation search. Correlation searches use fields such as src
and dest
to report on matching results. The risk_object
field represents a system, host, device, user, role, credential, or any object that the correlation search reports on.
Risk object types
If a risk object matches an object in the asset or identity table, Enterprise Security maps the object as the associated type. For example, an object that matches an asset in the asset lookup maps to the system risk object type. However, devices and users do not appear in the corresponding asset and identity tables to identify as system or user risk objects. ES categorizes undefined or experimental object types with a risk object type of Other.
Splunk Enterprise Security defines the following risk object types.
Object type | Description |
---|---|
System | Network device or technology. Can represent a device in the asset lookup. |
User | Can represent an identity such as a network user, credential, or role in the identity lookup. |
Hash values | Numeric value of a fixed length that uniquely identifies large amounts of data. Used with digital signatures. |
Network artifacts | Provides significant clues about any unauthorized access by unauthorized entities in a network. |
Host artifacts | Events caused by adversary activities on one or more hosts, such as registry keys or values known to be created by specific pieces of malware, files, or directories. |
Tools | Software used by attackers to accomplish their mission. |
Other | Any undefined object in a data source field. |
Example: Reset a risk score for a risk object
You can reset a risk score for an object but with certain limitations.
Consider a scenario where the correlation searches generate many notables for an infected system, which leads to a high risk score. Despite re-imaging, the system still has the same IP address or host name. This requires you to reset the risk score to zero as if it's a new system.
If the host is 192.0.2.2 with a 480.0 risk score, you only have the following options to change the risk score to zero because risk scores contain a time component:
- Change the time range picker from the default, which changes the risk score. You might see no results for this host if you change the time range to Last 15 minutes. The score is zero if no events get created in that time frame. This does not reset the score, but helps you verify the new risk score, if you know the time frame of when you re-imaged the system.
- Create an ad-hoc risk entry with a risk score of -480. However, this is dependent on the time frame. This also does not reset the score. If your ad-hoc risk entry is outside the time window of the event, then the negative offset does not apply, and the object has a score of -480. See Create an ad hoc risk entry in Splunk Enterprise Security.
See also
For more information about how risk objects are associated with risk modifiers and impact risk scores, see the product documentation.
How risk-based alerting works in Splunk Enterprise Security
How risk modifiers impact risk scores in Splunk Enterprise Security
Modify a risk score with a risk modifier in Splunk Enterprise Security
Prioritize threat objects over risk objects in risk incident rules
How to create risk notables using Splunk Enterprise Security | Create risk and edit risk objects in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.2
Feedback submitted, thanks!