How risk modifiers impact risk scores in Splunk Enterprise Security
Events that modify risk in Splunk Enterprise Security are called risk modifiers. Risk modifiers are events in the risk index which contain, at a minimum the following fields:
For example: A security analyst wants to track users who have downloaded a potentially malicious powershell script from the Internet. This script is run remotely on the host in-memory and is an indicator of a fileless malware attack.
The risk modifier is an event in the risk index that includes the following fields for a user "anna", in addition to information on the powershell script.
risk_object = anna
risk_object_type = user
risk_score = 30
However, if "anna" is an administrator user, you can additionally use risk factors to flag the increased risk represented by the powershell activity and automatically increase the score. Say, the security analyst wants to raise the risk score of the user "anna" by 30.
In this case the risk modifier will include the following fields for the administrator user "anna" to track powershell activity:
risk_object = anna
risk_object_type = user
risk_score = 60
Risk modifiers are key to calculating risk scores and assigning risk scores to risk objects. Risk factors are multipliers of risk and depend on the characteristics of the specific user or asset. Using risk factors, you can select conditions to dynamically adjust risk scores and simplify the threat investigation process by surfacing suspicious behavior.
The Risk data model accelerates these fields for the Risk Analysis and Incident Review dashboards.
Following is a list of risk modifiers that might impact the risk score of an event or a notable:
- Priority of the asset or identity associated with the event: Assign a higher risk score to an asset or identity that has a higher priority score based on the potential risk they represent for the organization. The same type of events from two different systems or users might not need the same level of attention. An event of medium severity event from a desktop machine is less urgent than the same event from an externally facing web-server that processes credit card information. Managing assets and identities in Splunk Enterprise Security allows you to compute urgency based on the priority of systems and users and assign higher urgency to higher priority assets. Priority values can include: Unknown, Low, Medium, High, or Critical.
- Category of the asset or identity: Assign a higher risk score to an asset or identity that might belong to a suspicious category. Category refers to a logical grouping to organize assets and identities in lookups that are used by correlation searches to identify systems and users that might be malicious or suspicious For example: Contractor, Cardholder, Privileged.
- User as Administrator: Assign a higher risk score to a user who has privileged access as an administrator.
Each administrator account represents a potential attack surface that an attacker can target. Assigning a higher risk score to an administrator user account helps to monitor the administrator account to limit the overall organizational risk. Membership of these privileged groups of users grows naturally over time as people change roles if membership not actively limited and managed.
- Entity being on a watchlist: Assign a higher risk score to an entity that is on a watchlist because it represents a higher risk. The correlation search for Watchlisted Event Observed creates notable events for specific watch lists. You can setup watchlist tags to generate notable events from specific security concerns, such as a missing laptop or suspicious domains. The correlation search for Watchlisted Event Observed is:
tag=watchlist NOT sourcetype=stash | `get_event_id` | `map_notable_fields`
- Time of day: Assign a higher risk score to an event for specific times during the day when the potential of suspicious activity is higher. For example, multiple log in attempts during non-business hours.
- The location of the event: Assign a higher risk score to an event if there is an increased likelihood of a potential cyberattack based on the location of the event.
- Other criteria: An analyst might also identify other criteria that they deem relevant to their security environment as a potential risk modifier.
How to contain risk modifiers
You cannot suppress risk modifiers like with notable events. Instead, you have the following options to contain risk modifiers:
- Aggregate the results of the correlation search
- You can aggregate the results of multiple runs of a correlation search based on fields and duration using the alert.suppress settings in the
savedsearches.confconfiguration file. See Savedsearchesconf.
- Modify the correlation search to filter results
- To prevent further false positives, you can edit the correlation search syntax to filter events or results.
For more information about how risk modifiers are associated with risk objects and how they impact risk scores, see the product documentation.
Create risk and edit risk objects in Splunk Enterprise Security
Modify a risk score with a risk modifier in Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0