Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Track high risk behavior using lookups

This is the first step in the Isolate user behaviors that pose threats with risk-based alerting scenario.

Ram tracks high risk users by creating lookups with specific fields that help monitor suspicious behavior as follows:

  1. First, Ram adds calculated fields to events at search time to identify high value files that contain sensitive or confidential information.
    Ram uses these fields to score files based on the following logic:
    if(match(file, "CONFIDENTIAL, SENSITIVE, IMPORTANT"), "1", "0")
    If a file is confidential or contains sensitive or important information, Ram assigns it a score of 1, otherwise Ram assigns the file a score of 0.
  2. Next, Ram searches for references to information related to competitors using the following logic:
    if(match(file, "Other_Company, Not_as_Good, Product_Stinks"), "1", "0")
    Often, threats exist in the data flowing into an organization through new employees. New employees might bring confidential information that they plan to use for building products. Knowing that this behavior might lead to legal problems for Buttercup Games in the future, Ram monitors the network to identify such high risk users.
    Through partnerships with cross-functional organizations, Ram has already determined the typical risky behaviors that might pose an insider threat. For example:
    • A manager reporting an employee for engaging in suspicious activities.
    • Terminated employees
    • Employees working on sensitive projects such as mergers and acquisitions that can have financial implications for the company.
  3. Finally, with this information, Ram creates the following lookup to track high risk users that need additional monitoring.

    index = risk | lookup high_risk_user.csv user as user OUTPUT hru_status notes date_added | search hru_status = "active"

    This lookup tracks the following fields:

    • Username
    • Date added
    • Status (active or not active)
    • Notes

    Ram ensures that the lookup is constantly updated, adds comments as required based on any new information received, and keeps the access list to the lookup limited to few individuals. To edit lookups, Ram uses the Splunk App for Lookup File Editing from Splunkbase.

When an alert gets triggered, Ram outputs specific fields from the lookup and runs them against the risk index to determine if they must escalate the investigation.

Next step

Assign risk scores to high risk users

See also

For more information on using lookups and calculated fields, see the product documentation:

Creating lookups to reduce noisy alert volume

About calculated fields in the Splunk Enterprise Knowledge Manager Manual

Last modified on 02 June, 2023
Isolate user behaviors that pose threats with risk-based alerting   Assign risk scores to high risk users

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters