Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Customizing risk factors by applying conditions to data fields

You can create and adjust risk factors based on the values of specific fields. For example, the following search focuses on the signature field in the Web data model:

| tstats summariesonly=true values(Web.dest) as dest values(Web.category) as category values(Web.user_bunit) as user_bunit FROM datamodel=Web WHERE Web.signature=* by Web.src Web.user Web.url | `drop_dm_object_name("Web")`

The following search indicates how you can adjust risk scores based on specific values using risk factors. The search uses the eval command to calculate the values in the signature field and adjust the risk scores based on specific conditions:

eval risk_adjust = case( signature="JS:Adware.Lnkr.A","-50", signature="Win32.Adware.YTDownloader","0", signature="Trojan.Win32.Emotet" AND NOT user_bunit="THREAT INTELLIGENCE","+50")

If the signature field has a value of JS:Adware.Lnkr.A, it indicates that the user's system might have adware that can lead victims to harmful sites. Adware software is usually harmless unless the user takes action. You do not need to take further action such as uninstalling the software and can reduce the risk score by 50. if the signature field has a value of Win32.Adware.YTDownloader, it indicates that the user might have unknowingly downloaded a file. In such cases, the analyst uses their discretion to leave the risk score as is. If the signature field has a value of Trojan.Win32.Emotet, it indicates that malware might have infected the user's system. Malware typically spreads through phishing emails with malicious attachments. The analyst can then increase the risk score by 50 because it indicates an active threat.

Using risk factors, you can apply varying amounts of risk based on specific conditions.

Example: How to modify risk factors based on categories of risky behavior

An analyst has identified specific categories of risky behavior observed in their security operations center (SOC). The analyst weighs the risk associated with each activity type so that they can increase or decrease the risk factor accordingly. The analyst decides to multiply the risk associated with the behaviors as indicated in the following table.

Risky behavior type Risky behavior Multiply risk by factor
Negative behavior example Unapproved software usage 1
Data exfil example Removable media file transfers 2
Suspicious communications example Foreign research communications 2
Foreign travel example Unreported travel 2
Behavior anomalies example Unusual data transfer volume 3
High risk example Elevated access 3
Sensitive data exfil example Keyterm or program related 3

Modifying risk factors based on activity type helps the analyst to calibrate the risk score based on the specific requirements of their SOC.

See also

For more information about how risk factors are associated with risk objects and how they impact risk scores, see the product documentation.

Create risk factors in Splunk Enterprise Security.

Manage risk factors in Splunk Enterprise Security

Use default risk factors for guidance to create risk factors in Splunk Enterprise Security

Last modified on 11 April, 2023
Prioritizing threat objects over risk objects in risk incident rules   Modifying risk incident rules based on the search results

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters