Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Prioritizing threat objects over risk objects in risk incident rules

Customize risk incident rules based on threat objects such as domain, command line, IP addresses, registry keys, filenames, or file directory, instead of risk objects such as system or user. Threat objects provide a broader perspective of the security environment because of their interactions with the risk object. Threat objects are better indicators for tracking suspicious behaviors or activities. Additionally, you can use lookups as a tool to identify tunable parameters

For example, you can use the following search to curate risk based on threat objects:

| tstats summariesonly=true count dc(All_Risk.risk_object) as dc_objects dc(All_Risk.src) as dc_src dc(All_Risk.dest) as dc_dest dc(All_Risk.user) as dc_users dc(All_Risk.user_bunit) as dc_bunit sum(All_Risk.calculated_risk_score) as risk_score values(source) as source from datamodel=Risk.All_Risk by All_Risk.threat_object,All_Risk.threat_object_type | `drop_dm_object_name("All_Risk")` | sort 1000 - risk_score | head 200 | outputlookup RR_allowlist-Proxy.csv

The search returns these values:

  • The tstats command runs basic counts of fields such as risk object (risk_object), source (src), destination (dest), users (user), and the user's business unit (user_bunit)
  • The search calculates the sum of risk scores from those threat objects
  • The search sorts the fields based on threat_object, threat object type
  • The search sorts the results based on the descending order of risk score.

This search helps to provide context on how the various fields interact with each other. For example, you might notice that specific threat objects such as command line or registry keys represent a high risk score. Drilling down on a high risk score based on a breakdown of various threat objects can reveal potential correlations. You might notice that the high risk score results from dozens of users from one business unit. This might or might not be indicative of malicious behavior. However, the security analyst can now use their judgment to adjust the risk score.

  • The head command reduces the number of results to 200 and helps to focus only on the potential sources of threat.
  • The outputlookup command displays the search results in a .CSV lookup called RR_allowlist-Proxy for convenient elimination of threat.

Some risk incident rules might continue to generate excessive alerts for MITRE or other sources, which might result in elevated risk scores. In such cases, you can reduce the weight ascribed to the noisy risk incident rules when calculating the risk score.

See also

For more information about threat objects, see the product documentation.

Add a threat object to modify an adaptive response action

Supported types of threat intelligence in Splunk Enterprise Security

Last modified on 12 April, 2023
Build custom dashboards to analyze risk   Customizing risk factors by applying conditions to data fields

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters