Modify a risk score with a risk modifier in Splunk Enterprise Security
Modify a risk score as a result of a correlation search or in response to notable event details with the Risk Analysis adaptive response action in the Correlation Search Editor. The risk adaptive response action creates a risk modifier event.
You can view the risk modifier events on the Risk Analysis dashboard in Enterprise Security. To access the Risk Analysis dashboard from Splunk Enterprise Security, go to Security Intelligence > Risk Analysis.
- In Splunk Web, navigate to the Correlation Search Editor.
- Select Add New Response Action and select Risk Analysis.
- Select + to add a risk modifier.
- Enter a positive or a negative integer or a decimal number in the Risk Score field to assign a value to the risk object.
- In the Risk Object Field, enter the name of a field that exists in the correlation search to apply the risk score to the field.
For example, enter src to select the source field. - In the Risk Object Type field, enter the name of an object type to select whether the entity is a system, user, or other. The results from the
|`risk_object_types`
macro defines the list displayed. For example, enter host_artifacts for an asset.
- Select + to add additional risk modifiers and follow the previous steps to assign different risk scores to different fields.
This view is unique to the correlation search editor. You do not see it, for example, in the adaptive response actions through Incident Review.
You can see the changes that you made to the risk score by searching the data model.
| from datamodel:Risk.All_Risk | search (risk_object=myuser OR risk_object=mysystem)
You can also see the changes using the risk correlation lookup.
| makeresults | eval dest="mysystem" | `risk_correlation`
See also
For more information about how best to use RBA in your security environment, see the product documentation.
How risk scores work in Splunk Enterprise Security
Assign risk in Splunk Enterprise Security
How risk modifiers impact risk scores in Splunk Enterprise Security
How risk modifiers impact risk scores in Splunk Enterprise Security | Create an ad-hoc risk entry to adjust risk scores in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2
Feedback submitted, thanks!