Splunk® Enterprise Security

Splunk Enterprise Security Tutorials

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Part 3: Create a risk incident rule

Now that you have raised the risk score for watchlisted users, you need to create risk incident rules so that risk notables are created.

A risk incident rule reviews the events in the risk index for anomalous events and threat activities and uses an aggregation of events impacting a single risk object, which can be an asset or identity, to generate risk notables in Splunk Enterprise Security.

Risk notables are created when the risk scores surpass a specified threshold over a period of time and help to evaluate the risk associated with the asset or a system and an identity or a user.

Identify the tactic to enrich the risk incident rule

Begin by creating a risk incident rule that gets enriched by the discovery tactics in the MITRE ATT&CK cyber-security framework.

Follow these steps to identify the MITRE tactic to enrich the risk incident rule:

  1. Identify the available discovery tactics in the MITRE framework by entering the following search in Splunk Enterprise Security:

    |inputlookup mitre_attack_lookup |search mitre_tactic="discovery" |table mitre_tactic, mitre_technique, mitre_technique_id

    This screen image shows the available Discovery tactics.

  2. Select one technique from the list of available discovery techniques.
    When you configure the risk incident rule in the next task, you can choose to create the risk incident rule based on the technique, T1049: System Network Connections Discovery (https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md).
    The risk incident rule tracks adversaries who want to get a list of all network connections to and from a compromised system and from remote systems by querying information over the network.

Configure the risk incident rule

Follow these steps to configure a risk incident rule to identify network connections associated with compromised systems:

  1. In the Splunk Enterprise Security app, select Configure, then select Content.
  2. Select Content Management.
  3. From the Create New Content drop-down list, select Correlation Search.
  4. In the Correlation Search Editor, enter the search name: RR - System Network Connections Discovery.
  5. In the Description field, enter the following text: Adversaries might attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
  6. In the Search field, enter the following search:

    sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational" EventCode=1 (process_name="net.exe" OR process_name="netstat.exe") AND (process_command_line="*net* use *" OR process_command_line="*net* sessions*" OR process_command_line="*net* file*" OR process_command_line="*netstat*") | table _time,user,dest,process_command_line,parent_process_name, process_name,CurrentDirectory,ParentCommandLine | rex field=dest "^(?<dest>.*?)[\.|$]" | eval user=lower(if(match(user,".*\\\\.*"), replace(user,".*\\\\",""), user)), dest=lower(dest)

    This screen image shows the configuring of a risk incident rule.

After you configure the correlation search, move to the Map the risk incident rule to the MITRE tactic section to map the risk incident rule to the MITRE tactic.

Map the risk incident rule to the MITRE tactic

Follow these steps to map the risk incident rule to the MITRE tactic T1049:

  1. In the Correlation Search Editor, go to Annotations.
  2. For the MITRE ATT&CK field, enter T1049. This screen image shows mapping the risk incident rule with a MITRE tactic.

After you map the risk incident rule to the MITRE tactic, add the time range and throttling conditions to the risk incident rule so that you can generate risk notables.


Add time range and throttling conditions to the risk incident rule

Now, follow these steps to add time range and throttling conditions that the risk incident rule uses to generate risk notables:

  1. In the Correlation Search Editor, for the Earliest Time field enter -2000d.
  2. In the Latest Time field, enter: now.
  3. In the Cron Schedule field, enter: */10 * * * *.
  4. Next, go to the Throttling section in the Window Duration field, enter: 1 week(s)
  5. In Fields to group by, enter: _time, source, dest, user, process_command_line. This screen image shows adding throttling conditions to the risk incident rule.

Add the Risk Analysis adaptive response action

Next, follow these steps to associate risk with the risk incident rule:

  1. In the Correlation Search editor, go to Adaptive Response Actions.
  2. Select Risk Analysis.
  3. In the Risk Message field, enter: A network discovery command ($process_command_line$) was performed on '$dest$' by user $user$' and launched by '$parent_process_name$'
  4. Go to Risk Modifiers, and for the Risk Score field, enter 5.
  5. For the Risk Object field, enter dest.
  6. For the Risk Object Type field, enter system.
  7. Select Add a new risk modifier.
  8. Go to Risk Modifiers, and for the Risk Score field, enter 5.
  9. For the Risk Object field, enter user.
  10. The dataset supports both system and user risk objects, so you have created risk modifiers for both.

  11. For the Risk Object Type field, enter user.
  12. Go to Threat Object, and for the Threat Object field, enter process_command_line as the potential indicator of compromise.
  13. For the Threat Object Type field, enter command.
  14. Select Save. This screen image shows adding a risk analysis adaptive response action.

Validate the risk incident rule

Follow these steps to validate the risk incident rule that you created:

  1. In Splunk Enterprise Security, go to Content.
  2. Select Content Management and search for the risk incident rule that you created.
    This screen image shows how to validate the risk incident rule.
  3. Under Actions, verify that the risk incident rule is enabled.
  4. In Splunk Enterprise Security, go to Search and select Search.
  5. Enter the following search in the search bar:

    index=risk | stats values(risk_object_type) count sum(risk_score) values(risk_message) values(annotations.mitre_attack.mitre_technique) values(annotations.mitre_attack.mitre_tactic) by risk_object

    This risk incident rule searches the risk index to identify 226 risk events as shown in the following screenshot:
    This screen image shows that the risk incident rule searches the risk index to identify 226 risk events.

  6. Review the following items:
    • risk object types for both system and user
    • sum of the risk score to see if the threshold is too high or low
    • risk messages to verify if the tokens look correct
    • values to verify if the MITRE annotations lookup is working correctly
  7. Expand any one of the search results to identify new fields that can get added by the RBA framework.

See also

For more information on risk incident rules, see the product documentation:

Next step

Now that you have created a risk incident rule, you can explore how to review risk in the Risk Analysis dashboard.

Last modified on 26 July, 2023
Part 2: Raise the risk score of watchlisted users using risk factors   Part 4: Review risk using the Risk Analysis dashboard

This documentation applies to the following versions of Splunk® Enterprise Security: 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters