How to create risk notables using Splunk Enterprise Security
Risk rules are correlation searches that generate risk. A risk incident rule is a correlation search that generates a risk notable.
RBA uses risk incident rules instead of typical correlation searches to generate risk notables so that alerting corresponds to the magnitude of the risk associated with the risk object.
A typical correlation search scans multiple data sources only for defined patterns and performs an adaptive response action when it finds the pattern. For more information on standard correlation search, see Correlation search overview in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual.
A risk incident rule reviews the events in the risk index and uses an aggregation of events impacting a single risk object to generate risk notables: Risk incident rules review the risk index for anomalous events and threat activities. When the risk incident rules find a risk object associated with several risk events, the risk incident rules create risk notables in Splunk Enterprise Security. When the risk scores associated with the risk notables surpass a specified threshold over a period of time, analysts focus their efforts on connected behaviors associated with the risk notable. The aggregated risk score of an asset or identity is the sum of all the risk scores for risk events in the risk index that apply to the specific asset or identity over a period of time.
In addition to a base detection search, risk incident rules can also include MITRE enrichment data such as:
- Tactic_Name
- Tactic Number
- Technique
- Technique Reference
For example:
- Tactic_Name:
credential_access
- Tactic Number:
T1098
- Technique:
Account Manipulation
- Technique Reference:
https://attack.mitre.org/techniques/T1098/
Following is an example of a risk incident rule with MITRE enrichment data:
RR-credential_access - T1098 - Account Manipulation-https://attack.mitre.org/techniques/T1098/
You can also use the default risk incident rules available in Splunk Enterprise Security Content Updates (ESCU) or Splunk Security Essentials (SSE).
Adding a risk message also provides additional context that analysts can use during their triage process. The Risk Message field tells the story of what is happening to the user or system and helps to determine if the risk object is a risk notable for risk analysis.
Following are some examples of risk incident rules that might generate useful risk notables:
- 7 day ATT&CK Tactic Threshold Exceeded: A default risk incident rule that generates risk notables when a threshold for MITRE ATT&CK tactics is exceeded over a seven day period.
- 24 hour Risk Threshold Exceeded: A default risk incident rule that generates risk notables when a threshold for risk score is exceeded over a 24 hour period.
- 24 hour ATT&CK Tactic Threshold Exceeded: A risk incident rule that generates risk notables when a threshold for MITRE ATT&CK tactics is exceeded over a 24 hour period.
- 7 day Risk Threshold Exceeded: A risk incident rule that generates risk notables when a threshold for risk score is exceeded over a 7 day period.
- Anomalous Risk Score Within an Identity Category: A risk incident rule that generates risk notables when a user displays risk scores of more than two standard deviations over their peers.
- Anomalous Risk Score Within an Asset Category: A risk incident rule that generates risk notables when a system displays risk scores of more than two standard deviations over peer systems.
- Anomalous Score Trend for a Role: A risk incident rule that generates risk notables when there is a significant percentage increase in risk score for a specific user role.
- Anomalous Score Trend for an Asset Category: A risk incident rule that generates risk notables when there is a significant percentage increase in risk score for a specific asset category.
- Anomalous Score Trend for Threat Object Type: A risk incident rule that generates risk notables when there is a significant percentage increase in risk score for a specific type of threat object.
- Threat Object Observed Across a Number of Risk Objects: A risk incident rule that generates risk notables when a threat object is observed for the first time across a small number of risk objects.
- Status Impact Accuracy KPIs: A risk incident rule that generates risk notables when the status, impact, and accuracy of key performance indicators of an organization are impacted.
- Mean time to resolution (MTTR): A risk incident rule that generates risk notables when the threshold for the mean time to resolution is exceeded.
See also
For more information about risk based correlation searches, see the product documentation.
How risk-based alerting works in Splunk Enterprise Security
How risk scores work in Splunk Enterprise Security | How risk objects impact risk scores in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2
Feedback submitted, thanks!