Customizing risk factors by applying conditions to data fields
You can create and adjust risk factors based on the values of specific fields.
For example, the following search focuses on the signature field in the Web data model:
| tstats summariesonly=true values(Web.dest) as dest values(Web.category) as category values(Web.user_bunit) as user_bunit
FROM datamodel=Web WHERE Web.signature=* by Web.src Web.user Web.url | `drop_dm_object_name("Web")`
The following search indicates how you can adjust risk scores based on specific values using risk factors. The search uses the eval command to calculate the values in the signature field and adjust the risk scores based on specific conditions:
eval risk_adjust = case(
signature="JS:Adware.Lnkr.A","-50",
signature="Win32.Adware.YTDownloader","0",
signature="Trojan.Win32.Emotet" AND NOT
user_bunit="THREAT INTELLIGENCE","+50")
If the signature field has a value of JS:Adware.Lnkr.A, it indicates that the user's system might have adware that can lead victims to harmful sites. Adware software is usually harmless unless the user takes action. You do not need to take further action such as uninstalling the software and can reduce the risk score by 50.
if the signature field has a value of Win32.Adware.YTDownloader, it indicates that the user might have unknowingly downloaded a file. In such cases, the analyst uses their discretion to leave the risk score as is.
If the signature field has a value of Trojan.Win32.Emotet, it indicates that malware might have infected the user's system. Malware typically spreads through phishing emails with malicious attachments. The analyst can then increase the risk score by 50 because it indicates an active threat.
Using risk factors, you can apply varying amounts of risk based on specific conditions.
Example: How to modify risk factors based on categories of risky behavior
An analyst has identified specific categories of risky behavior observed in their security operations center (SOC). The analyst weighs the risk associated with each activity type so that they can increase or decrease the risk factor accordingly. The analyst decides to multiply the risk associated with the behaviors as indicated in the following table.
| Risky behavior type | Risky behavior | Multiply risk by factor |
|---|---|---|
| Negative behavior example | Unapproved software usage | 1 |
| Data exfil example | Removable media file transfers | 2 |
| Suspicious communications example | Foreign research communications | 2 |
| Foreign travel example | Unreported travel | 2 |
| Behavior anomalies example | Unusual data transfer volume | 3 |
| High risk example | Elevated access | 3 |
| Sensitive data exfil example | Keyterm or program related | 3 |
Modifying risk factors based on activity type helps the analyst to calibrate the risk score based on the specific requirements of their SOC.
See also
For more information about how risk factors are associated with risk objects and how they impact risk scores, see the product documentation.
Create risk factors in Splunk Enterprise Security.
Manage risk factors in Splunk Enterprise Security
Use default risk factors for guidance to create risk factors in Splunk Enterprise Security
| Prioritizing threat objects over risk objects in risk incident rules | Modifying risk incident rules based on the search results |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2
Download manual
Feedback submitted, thanks!