Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Default risk incident rules in Splunk Enterprise Security

Use the default risk incident rules available in Splunk Enterprise Security to begin risk-based alerting (RBA). These default risk incident rules create adaptive response actions that generate risk events.

The following risk incident rules are enabled by default:

The risk incident rule ATT&CK Tactic Threshold Exceeded for Object Over Previous 7 days creates risk events when the number of MITRE tactics exceeds 3 over the last 7 days.

| tstats `summariesonly` sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.annotations.mitre_attack.mitre_tactic_id=* by All_Risk.risk_object,All_Risk.risk_object_type | `drop_dm_object_name("All_Risk")` | eval "annotations.mitre_attack"='annotations.mitre_attack.mitre_technique_id' | where mitre_tactic_id_count >= 3 and source_count >= 4

The risk incident rule Risk Threshold Exceeded for Object Over 24 Hour Period searches the risk index and aggregates risk scores by object and creates risk events when the risk score for an object exceeds 100 over the last 24 hours. For example, if an object has eight related events, each with a calculated risk score, the search adds all the eight scores together. This default risk incident rule has a default setting of a 24-hour search window.

| tstats `summariesonly` sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count,values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk by All_Risk.risk_object,All_Risk.risk_object_type | `drop_dm_object_name("All_Risk")` | eval "annotations.mitre_attack"='annotations.mitre_attack.mitre_technique_id', risk_threshold=100 | where risk_score > $risk_threshold$ | `get_risk_severity(risk_score)`

Search for the default risk incident rules

Follow these steps to search for the default risk incident rules in Splunk Enterprise Security:

  1. In the Splunk Enterprise Security app, navigate to Content > Content Management.
  2. Set the Type filter to Correlation Search.
  3. Set the App filter to SA-ThreatIntelligence.
  4. Search for Risk in the search bar.

Customize the default risk incident rules

You can also customize these risk incident rules and edit them to change specific conditions based on your security environment.

For example, in the risk incident rule Risk Threshold Exceeded for Object Over 24 Hour Period, you can increase the risk score threshold by 200 instead of 100 over the last 24 hours if that works for your environment.


See also

For more information about how best to use risk incident rules in your security environment, see the product documentation.

Run risk incident rules in Splunk Enterprise Security

Edit correlation searches

Last modified on 03 May, 2023
Run risk incident rules in Splunk Enterprise Security   Risk notables in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters