How risk objects impact risk scores in Splunk Enterprise Security

A risk object refers to any asset, identity, user, or device in your security environment that can be used by Splunk Enterprise Security to identify potential security threats. As an administrator, you can create risk objects to categorize anything to which you assign a risk score. For example, you might categorize a laptop as a system risk object type and an identity as a user risk object type.

When a risk object generates an event that is a potential threat, the risk modifier associated with the risk object increases the risk score of the object. When a risk incident rule finds a risk object associated with several risk events, the risk incident rule creates risk notables in Splunk Enterprise Security.

Only a few key fields create a risk notable, which include: risk_object and risk_object_type fields.

Risk object field

The risk_object field is a reference to a search field returned by a correlation search. Correlation searches use fields such as src and dest to report on matching results. The risk_object field represents a system, host, device, user, role, credential, or any object that the correlation search reports on.

Risk object types

If a risk object matches an object in the asset or identity table, Enterprise Security maps the object as the associated type. For example, an object that matches an asset in the asset lookup maps to the system risk object type. However, devices and users do not appear in the corresponding asset and identity tables to identify as system or user risk objects. ES categorizes undefined or experimental object types with a risk object type of Other.

Splunk Enterprise Security defines the following risk object types.

Example: Reset a risk score for a risk object

You can reset a risk score for an object but with certain limitations.

Consider a scenario where the correlation searches generate many notables for an infected system, which leads to a high risk score. Despite re-imaging, the system still has the same IP address or host name. This requires you to reset the risk score to zero as if it's a new system.

If the host is 192.0.2.2 with a 480.0 risk score, you only have the following options to change the risk score to zero because risk scores contain a time component:

• Change the time range picker from the default, which changes the risk score. You might see no results for this host if you change the time range to Last 15 minutes. The score is zero if no events get created in that time frame. This does not reset the score, but helps you verify the new risk score, if you know the time frame of when you re-imaged the system.

• Create an ad-hoc risk entry with a risk score of -480. However, this is dependent on the time frame. This also does not reset the score. If your ad-hoc risk entry is outside the time window of the event, then the negative offset does not apply, and the object has a score of -480. See Create an ad hoc risk entry in Splunk Enterprise Security.

See also

For more information about how risk objects are associated with risk modifiers and impact risk scores, see the product documentation.

How risk-based alerting works in Splunk Enterprise Security

How risk modifiers impact risk scores in Splunk Enterprise Security

Modify a risk score with a risk modifier in Splunk Enterprise Security

Prioritize threat objects over risk objects in risk incident rules