Create an ad-hoc risk entry to adjust risk scores in Splunk Enterprise Security
Create an ad-hoc risk entry to make a manual, one-time adjustment to an object's risk score. You can use ad hoc risk entries to add a positive or negative number to the risk score of an object.
Add an ad hoc risk entry to neutralize risk manually or as part of an automation when you close an event. You can describe a field that you want to search and select a value for the field. You can then either add, subtract, or multiply the risk score at your discretion.
Adding an ad hoc risk entry lets you add more risk for accounts with administrative privileges, executive systems, external assets, and so on. It also lets you reduce the risk for known entities. You can even reduce the risk to zero to ensure that the event gets tracked but does not create notables. This lets you use the event in conjunction with other contextual events and assign risk only when the events are seen together.
Follow these steps to create an ad-hoc risk entry:
- Select Security Intelligence > Risk Analysis.
- Select Create Ad-hoc Risk Entry.
- Complete the form.
- Select Save.
Risk modifiers | Description | Value |
---|---|---|
Risk score | Displays the relative risk of an asset or identity such as a device or a user in your network environment over time. | Positive or negative integer. |
Risk object | Represents a system, host, device, user, role, credential, or any object that the correlation search reports on. | Text field. You can also enter a wildcard character with an asterisk (*). |
Risk object type | Maps the risk object to a specific type. | Example: system , user , hash_values , network_artifacts , host_artifacts , tools , other
|
See also
For more information about how best to use RBA in your security environment, see the product documentation.
Manage risk objects in Splunk Enterprise Security
How risk scores work in Splunk Enterprise Security
How to assign risk in Splunk Enterprise Security
How risk modifiers impact risk scores in Splunk Enterprise Security
How risk annotations provide additional context in Splunk Enterprise Security
Modify a risk score with a risk modifier in Splunk Enterprise Security | Assign risk through a search in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.2
Feedback submitted, thanks!