Managing risk using risk-based alerting in Splunk Enterprise Security
One of the primary challenges that security analysts face is that risk-based alerting can generate as many notables as traditional alerting. Additionally, if risk-based alerting is not curated, you might create duplicate risk notables.
While risk notables provide context during security investigations, an excessive number or duplicate risk notables from normal business activities, can confuse analysts and impede their ability to detect threats.
To get the maximum value from risk-based alerting in Splunk Enterprise Security and curate risk in your security operations center (SOC), you can adjust your risk incident rules. For example, you might want to reduce risk when defining your search based on your assessment of predictable events such as expected activity spikes during certain times of day or during the installation of new tools in your security environment.
You can also adjust the risk notables based on how they might relate to each other, and the potential threat associated with a specific risk notable.
Additionally, you can also adjust the time range or detection window for your risk incident rules to reduce the number of alerts. For example, you might want to reduce the time range from 24 hours to 12 hours to focus on user activities during peak periods of activity.
Follow these best practices to manage risk in your security environment:
- Update assets and identities to add context for risk-based alerting
- Configure data models to normalize data for Splunk Enterprise Security
- Prioritizing threat objects over risk objects in risk incident rules
- Customizing risk factors by applying conditions to data fields
- Modifying risk incident rules based on the search results
- Suppress false positives through dynamic throttling
- Use the dedup command to remove redundant alerts
- Adjust the risk threshold to avoid high alert volume
- Create a risk message to add context for investigations
- Troubleshoot common issues with risk-based alerting
| Analyze risk notables using Threat Topology in Splunk Enterprise Security | Update assets and identities to add context for risk based alerting |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2
Download manual
Feedback submitted, thanks!