Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

How risk scores work in Splunk Enterprise Security

Use risk scores to calculate the risk of events in Splunk Enterprise Security. A risk score is a single metric that shows the relative risk of an asset or identity such as a device or a user in your network environment over time. Splunk Enterprise Security classifies a device as a system, a user as a user, and unrecognized devices or users as other.

Use the Risk Analysis dashboard to display risk scores and other risk-related information. Splunk Enterprise Security indexes all risks as events in the risk index. To access the Risk Analysis dashboard from your Splunk Enterprise Security app, go to Security Intelligence > Risk Analysis. You can also drill down to investigate risk events and view the associated risk scores using the Risk Timeline visualization.

For more information on the Risk Analysis dashboard, see Risk Analysis in the Use Splunk Enterprise Security manual.

How Splunk Enterprise Security assigns risk scores

Splunk Enterprise Security uses correlation searches to correlate machine data with known threats. Risk-based alerting (RBA) applies the data from assets and identities, which comprises the devices and user objects in a network environment, to events at search time to enrich the search results. Correlation searches search for a conditional match to a question.

When the correlation search finds a match, it generates an alert as a notable event, a risk modifier, or both, which might indicate a threat. A notable event becomes a task. You must assign, review, or close this event. A risk modifier becomes a number. This event adds to the risk score of a device or user object.

A risk score is a single metric that shows the relative risk of a device or user object in the network environment over time. These objects are also known as risk objects. A risk object represents a system, a user, or an unspecified other.

Colors are used to distinguish between the levels of risk. A risk score of 0-25 is represented by a yellow badge, 25-50 is orange, 50-75 is light red, and a risk score above 75 is dark red.

Splunk Enterprise Security might initially score some of the risk events too high in the early stages of your RBA journey. However, as you manage your risk ecology, it gets easier to tune your risk-based correlation searches and score risk events appropriately. RBA assigns risk scores based on both the impact and confidence of a risk event. For example: If a detection such as "Any PowerShell DownloadString" has an impact score of 80 and a confidence score of 70, Splunk Enterprise Security assigns it a risk score of 56. Over time, as you run the risk-based correlation search, you might discover that some of the risk events indicate expected behavior in your security environment. In such cases, you can apply less risk to those events instead of lowering the overall risk score.

Example: Risk scoring

Host 192.0.2.2 is a system that generates several notable events. The correlation search for Personally Identifiable Information Detected creates five notable events per day for that system.

The following tables display how risk scoring is displayed on the Risk Analysis dashboard in the Risk Score by Object and Most Active Sources panels for the last 7 days by default, for a host that has a risk score of 480.0 i

risk_object risk_object_type risk_score source_count count
192.0.2.2 system 480.0 1 6
source risk_score risk_objects count
Audit - Personally Identifiable Information Detection - Rule 480.0 1 6

Since 192.0.2.2 is a test server, this behavior might not seem important. However, instead of ignoring or suppressing notable events generated by test servers, you can create specific rules to monitor those servers differently.

You can create a correlation search that assigns a risk modifier instead of creating a notable event, when the correlation matches hosts that serve as test servers.

  1. Exclude test servers from the existing correlation searches using an allow list. See Allowlist events in Administer Splunk Enterprise Security for more information.
  2. Create and schedule a new correlation search based on the Personally Identifiable Information Detected search but include the list of test server hosts and assign only a risk analysis adaptive response action.
  3. Verify that you apply the risk modifiers to the test server hosts by raising their risk score incrementally. The new correlation search does not create notable events for those hosts based on personally identifiable information.

As the relative risk score goes up, you can compare 192.0.2.2 to similar test servers. If the relative risk score for 192.0.2.2 exceeds its peers, you can investigate that host. If the risk scores of similar test servers are higher relative to others, you might need to review an internal security policy or implement the security policy differently.

Score ranges for risk

Risk scoring offers a way to capture and aggregate the activities of an asset or identity into a single metric using risk modifiers.

The correlation searches included in Splunk Enterprise Security assign a risk score between 20 and 100 depending on the relative severity of the activity found in the correlation search. The searches scope the default scores to a practical range. This range does not represent an industry standard. Splunk Enterprise Security does not define an upper limit for the total risk score of an identity or asset.

Risk score levels use the same naming convention as event severity. You can assess relative risk scores by comparing hosts with similar roles and asset priority.

  • 20 - Info
  • 40 - Low
  • 60 - Medium
  • 80 - High
  • 100 - Critical

Administrators can edit correlation searches to modify the risk score that the risk analysis response action assigns to an object. See Modify a risk score with a risk modifier.

See also

For more information about how best to use RBA in your security environment, see the product documentation.

How risk-based alerting works in Splunk Enterprise Security

How risk modifiers impact risk scores in Splunk Enterprise Security

Modify a risk score with a risk modifier in Splunk Enterprise Security

Included adaptive response actions with Splunk Enterprise Security in Administer Splunk Enterprise Security.

How are risk score calculated for RBA

Last modified on 11 July, 2023
How to assign risk in Splunk Enterprise Security   How to create risk notables using Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters