Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Modify a risk score with a risk modifier in Splunk Enterprise Security

Modify a risk score as a result of a correlation search or in response to notable event details with the Risk Analysis adaptive response action in the Correlation Search Editor. The risk adaptive response action creates a risk modifier event.

You can view the risk modifier events on the Risk Analysis dashboard in Enterprise Security. To access the Risk Analysis dashboard from Splunk Enterprise Security, go to Security Intelligence > Risk Analysis.

  1. In Splunk Web, navigate to the Correlation Search Editor.
  2. Select Add New Response Action and select Risk Analysis.
  3. Select + to add a risk modifier.
    1. Enter a positive or a negative integer or a decimal number in the Risk Score field to assign a value to the risk object.
    2. In the Risk Object Field, enter the name of a field that exists in the correlation search to apply the risk score to the field.
      For example, enter src to select the source field.
    3. In the Risk Object Type field, enter the name of an object type to select whether the entity is a system, user, or other. The results from the |`risk_object_types` macro defines the list displayed. For example, enter host_artifacts for an asset.
  4. Select + to add additional risk modifiers and follow the previous steps to assign different risk scores to different fields.

This view is unique to the correlation search editor. You do not see it, for example, in the adaptive response actions through Incident Review.

You can see the changes that you made to the risk score by searching the data model.

| from datamodel:Risk.All_Risk | search (risk_object=myuser OR risk_object=mysystem)

You can also see the changes using the risk correlation lookup.

| makeresults | eval dest="mysystem" | `risk_correlation`

See also

For more information about how best to use RBA in your security environment, see the product documentation.

How risk scores work in Splunk Enterprise Security
Assign risk in Splunk Enterprise Security
How risk modifiers impact risk scores in Splunk Enterprise Security

Last modified on 06 March, 2023
How risk modifiers impact risk scores in Splunk Enterprise Security   Create an ad-hoc risk entry to adjust risk scores in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters