Run risk incident rules in Splunk Enterprise Security
As a detection engineer or security analyst, you can run risk incident rules to generate risk notables when the sum of risk scores for all risk events associated with a risk object reaches a certain threshold. Risk incident rules mine the risk index and aggregate the risk associated with risk objects such as assets and identities.
Follow these steps to run risk incident rules:
- In the Incident Review page, filter the correlation searches by risk and select the check box next to the default correlation searches to enable the default risk incident rules provided by Splunk Enterprise Security.
As a beginner to RBA, you can use the default risk incident rules in Splunk Enterprise Security to learn how risk based alerting works. After you familiarize yourself with RBA, you can customize the default risk incident rules based on the requirements of your security environment.Disable all other correlation searches to avoid unnecessary data noise.
- Select the search time range and search schedule to run the risk incident rule.
Use the following search timeline and schedule settings to balance your search performance, account for data lags, and set longer time frames to evaluate threat:- Earliest: -1h@h
- Latest: @h
- Schedule Cron: 07 * * * *
- Run the risk incident rule.
Risk incident rules usually run once in an hour.
- Identify the adjustments that you need to make to the risk incident rule.
- Use the Correlation Search editor to adjust the risk scores and severity associated with the risk incident rule.
You can also add dynamic severity to the search like in the following example:
- For a risk score > 100 over 12 hours, Severity is Medium
- For a risk score > 150 over 12 hours, Severity is High
- For a risk score > 200 over 12 hours, Severity is Critical
Do not overthink how to assign risk scores since the risk score of a single event matters less than the total number of events related to an individual object. When you assign risk scores to risk objects, you assign scores to individual events and the event scores get aggregated over time.
- Create a dynamic risk message for each risk incident rule.
Make sure that the risk message is descriptive, yet concise and consistent.
A risk message is an adaptive response action. Adding a custom risk message to a risk incident rule helps build detections based on specific information, such as risk scores. - Assign risk to multiple objects with the Risk Analysis adaptive response action in the Correlation Search Editor. Specify risk scores, risk objects, risk object types, threat objects, threat object types.
In Splunk Enterprise versions lower than 6.4.x, you can configure only a single risk object in a correlation search.
See also
For more information about risk based correlation searches and risk notables, see the product documentation.
How risk-based alerting works in Splunk Enterprise Security
How to create risk notables using Splunk Enterprise Security
Default risk incident rules in Splunk Enterprise Security
Risk notables in Splunk Enterprise Security
Change correlation search scheduling
Assign risk through a search in Splunk Enterprise Security | Default risk incident rules in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2
Feedback submitted, thanks!