Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Adjust risk scores for specific objects

This is the final step in the Isolate threats with risk-based alerting scenario.

Ram uses risk factors to adjust risk scores for specific risk objects to more effectively map out the risk in the security environment and simplify the threat investigation process to prioritize suspicious behavior. Risk factors increase the risk scores based on specific conditions without creating new searches. For example, Ram can increase the risk score by a factor of two on a laptop that might be a target if it belongs to a director instead of an individual contributor.

Risk factors get calculated based on a formula.

Ram can also use the default risk factors designed for specific conditions to dynamically assign risk scores to risk objects and isolate threats using Splunk Enterprise Security. Splunk Enterprise Security provides seven risk factors by default, which can be customized based on Ram's specific environment. Ram can also use these default risk factors as examples for guidance and create risk factors based on the environment.

  1. Ram can modify the score of a risk object based on tactic, user, src, dest, and threat object.
  2. From the Enterprise Security menu, Ram selects Configure > Content > Content Management.
  3. From the Create New Content list, Ram selects Risk Factor, which opens the Risk Factor Editor.
  4. Ram then selects the default risk factor, Watchlisted User.

EditCorrelationSearchWindow

The Watchlisted User risk factor increases the risk score for users on a watch list by a multiple of 1.5. So, if user_watchlist is true, the risk factor gets increased by a multiple of 1.5. Ram can include all the directors on the watchlist.

Now Ram can mitigate risk successfully by using risk factors that dynamically modify risk scores based on specific conditions and keep Buttercup Games safe from security threats.

See also

For more information on risk scores, see the product documentation:

How the risk factor scoring works

Create risk factors in Splunk Enterprise Security

Using Watchlists to Your Advantage blog post

Last modified on 02 June, 2023
Add a risk message and a risk score to a notable   Reduce alert volumes by triaging notables

This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters