Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Assign risk scores to high risk users

This is the second step in the Isolate user behaviors that pose threats with risk-based alerting scenario.

After Ram escalates the investigation, Ram sets an average risk score associated with risk events and maps this average risk score against the standard deviation to compare the risk scores of high risk users with other users.

Ram makes this comparison as follows:

  1. First, Ram uses the eventstats command to generate summary statistics from fields in the events and saves those statistics into a new field.

    | eventstats avg (risk_score) as avg_risk stdev (risk_score) as stdev_risk

    However, Ram wants to add context to the risk scores for accurate risk evaluation.

  2. Then, Ram wants to modify the risk scores based on the specific requirements of his network environment and high risk user profile.

Next step

Modify risk scores using the where command

See also

For more information on the eventstats command, see the product documentation:

The eventstats command in the Splunk Cloud Services SPL2 Search Reference.

Last modified on 02 June, 2023
Track high risk behavior using lookups   Modify risk scores using the where command

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters