Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Create an ad-hoc risk entry to adjust risk scores in Splunk Enterprise Security

Create an ad-hoc risk entry to make a manual, one-time adjustment to an object's risk score. You can use ad hoc risk entries to add a positive or negative number to the risk score of an object.

Add an ad hoc risk entry to neutralize risk manually or as part of an automation when you close an event. You can describe a field that you want to search and select a value for the field. You can then either add, subtract, or multiply the risk score at your discretion.

Adding an ad hoc risk entry lets you add more risk for accounts with administrative privileges, executive systems, external assets, and so on. It also lets you reduce the risk for known entities. You can even reduce the risk to zero to ensure that the event gets tracked but does not create notables. This lets you use the event in conjunction with other contextual events and assign risk only when the events are seen together.

Follow these steps to create an ad-hoc risk entry:

  1. Select Security Intelligence > Risk Analysis.
  2. Select Create Ad-hoc Risk Entry.
  3. Complete the form.
  4. Select Save.
Risk modifiers Description Value
Risk score Displays the relative risk of an asset or identity such as a device or a user in your network environment over time. Positive or negative integer.
Risk object Represents a system, host, device, user, role, credential, or any object that the correlation search reports on. Text field. You can also enter a wildcard character with an asterisk (*).
Risk object type Maps the risk object to a specific type. Example: system, user, hash_values, network_artifacts, host_artifacts, tools, other


See also

For more information about how best to use RBA in your security environment, see the product documentation.

Manage risk objects in Splunk Enterprise Security
How risk scores work in Splunk Enterprise Security
How to assign risk in Splunk Enterprise Security
How risk modifiers impact risk scores in Splunk Enterprise Security
How risk annotations provide additional context in Splunk Enterprise Security

Last modified on 25 July, 2023
Modify a risk score with a risk modifier in Splunk Enterprise Security   Assign risk through a search in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters