Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Update assets and identities to add context for risk based alerting

Review and update the information on all the assets and identities that exist in your security network so that you can customize risk factors based on the specific context of the asset and identity data. Maintaining your asset and identity framework is essential to deploying risk-based alerting in your organization.

Risk objects are the assets and identities such as systems and users in your organization. Splunk Enterprise Security uses correlation searches to connect machine data with asset and identity data that risk-based alerting uses to create risk factors and customize risk scores to produce high fidelity alerts.

Each asset and identity must have the following fields:

  • ip
  • nt_host
  • dns

Optionally, assets and identities can also have these fields:

  • Category
  • Priority

The Category and Priority fields are optional because they are specific to the risk profile of your organization. For example, laptops and login information get labeled as high-priority for C-suite executives and low priority for IT personnel due to their different roles within the organization.

All information that you add to your assets or identities is useful for tuning your risk incident rules. For example, identifying a user's business unit or a system's purpose helps to adjust risk scores by automatically lowering the risk of administrative processes based on business units. You can still track administrative functions without inflating the risk scores and generating an excessive number of alerts.

Additionally, you can enrich assets and identities with EDR tools and map host names to IP addresses that include information on proxy servers, authentication, VPN, or ZTNA logs, which is increasingly necessary in a remote work environment with dynamic IP addresses.

Follow these steps to optimally configure assets and identities for RBA in Splunk Enterprise Security:

  1. Review the completeness of your LDAP data and determine how critical the various assets and identities are for your organization's mission and processes so that you can prioritize the risk associated with the assets and identities accordingly.
    1. In Splunk Enterprise Security, navigate to Search > Search.
    2. Display all your asset and identity data.
      On the search bar, enter the following to list identity data:

      | `identities`


      On the search bar, enter the following to list asset data:

      | `assets`

  2. Review the Risk Analysis framework in Splunk Enterprise Security and formulate a plan to raise risk scores of the assets and identities in your organization based on their context.
    An automatic lookup from within the SA-Identity Management app in Splunk Enterprise Security compares indexed events with asset and identity data in the asset and identity lists to provide data enrichment and context. The additional asset and identity context added to indexed events helps to identify the criticality of specific assets or identities within your SOC and assign risk scores to them accordingly.
  3. Use the Risk Factor Editor in Splunk Enterprise Security to increase or decrease the risk scores associated with your assets and identities. This helps to customize risk in your security environment based on evolving threats.

Use a vulnerability scanner that identifies and creates an inventory of all the systems connected to your network to ensure the completeness of your asset and identity data. Vulnerability scanning identifies both the operating systems and the software installed on it, along with other attributes such as open ports and user accounts and checks each item in the inventory against one or more databases of known vulnerabilities for a potential security breach.

Adjust risk incident rules for changed assets and identities based on your business processes and your asset and identity framework. Ideally, updates to assets and identities must be automated for risk incident rules. A combination of the following asset and identity fields such as the Organizational Unit (OU), Title, Business Unit, and Group Membership can be tracked because changes to these fields are usually infrequent.

See also

For more information on updating your asset and identity framework, see the product documentation:

Asset and identity correlation

Configure asset and identity correlation

Collect and extract asset and identity data

Last modified on 12 April, 2023
Managing risk using risk-based alerting in Splunk Enterprise Security   Configure data models to normalize data for Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters