Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Default risk factors in Splunk Enterprise Security

Use default risk factors designed for specific conditions to dynamically assign risk scores to risk objects and effectively isolate threats using Splunk Enterprise Security. Splunk Enterprise Security provides seven risk factors by default, which you can customize based on your specific environment. You can also use these default risk factors as examples for guidance and create your own risk factors based on your environment.

All risk factors available in Splunk Enterprise Security are displayed on the Risk factor Editor, but are in a disabled state.

Following is the list of risk factors that are available on the app by default:

Risk factor Description
Admin User Increases the risk score of a user who has a privileged or administrative identity.
So, if the user_category field matches the regex value of "admin", the risk factor is multiplied by 1.5.
Contractor User Increases the risk score for a user who is a contractor.
So, if the user_category field value is "contractor", the risk score is increased by a sum of 5.
Critical Priority Destination Increases the risk score for critical destinations.
So, if the dest_priority field value is "critical", the risk factor is multiplied by 1.5.
High Priority User Increases the risk score for high priority users.
So, if the user_priority field value is "high", the risk factor is multiplied by 1.25.
PCI Source Increases the risk for sources that are related to PCI compliance.
Watchlisted Priority User Increases the risk score for users on a watch list when the user is not on a priority list.
So, if the user_watchlist field is equal to "true" and the user_priority is not equal to "low", the risk factor is multiplied by 1.5.
For more information on watchlists, see the Splunk Blogs post Using watchlists to your advantage.
Watchlisted User Increases the risk score for users on a watch list by a multiple of 1.5.
So, if the user_watchlist is "true", the risk factor is multiplied by 1.5.
For more information on watchlists, see the Splunk Blogs post Using watchlists to your advantage.

See also

For more information about risk factors, see the product documentation.

Create risk factors in Splunk Enterprise Security

Manage risk factors in Splunk Enterprise Security

Troubleshoot upgrade issues with risk factors

Customizing risk factors by applying conditions to data fields

Last modified on 08 February, 2024
Manage risk factors to track evolving security threats in Splunk Enterprise Security   How the Risk Timeline visualization works in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters