How to assign risk in Splunk Enterprise Security
You can assign or modify risk to an object using the following methods:
- Create a risk analysis response action or risk modifier
- Use a correlation search
You can dynamically assign risk scores based on the event types so that you can identify evolving threats in your security environment.
For example, you can assign a risk score of 0 to successful HTTP POST events that indicate the client's request was successfully received, understood, and accepted. You can assign a risk score of 20 for failed HTTP POST events as they are actions that were not performed. Similarly, you can assign a lower risk score to commands such as systeminfo, ipconfig, or netstat issues from a user account from another user's computer but still track them as a possible malicious event that might later become a risk notable.
Assign a risk score
To assign risk using Splunk Enterprise Security, choose one of the following methods:
- Modify risk scores. See Modify a risk score with a risk modifier in Splunk Enterprise Security
- Create an ad hoc risk entry from the Risk Analysis dashboard. See Create an ad hoc risk entry in Splunk Enterprise Security
- Assign risk through a search. See Assign risk through a search in Splunk Enterprise Security.
See also
For more information about how best to use RBA in your security environment, see the product documentation.
| How risk-based alerting works in Splunk Enterprise Security | How risk scores work in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.2
Download manual
Feedback submitted, thanks!