Default risk incident rules in Splunk Enterprise Security
Use the default risk incident rules available in Splunk Enterprise Security to begin risk-based alerting (RBA). These default risk incident rules create adaptive response actions that generate risk events.
The following risk incident rules are enabled by default:
The risk incident rule ATT&CK Tactic Threshold Exceeded for Object Over Previous 7 days creates risk events when the number of MITRE tactics exceeds 3 over the last 7 days.
| tstats `summariesonly` sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.annotations.mitre_attack.mitre_tactic_id=* by All_Risk.risk_object,All_Risk.risk_object_type | `drop_dm_object_name("All_Risk")` | eval "annotations.mitre_attack"='annotations.mitre_attack.mitre_technique_id' | where mitre_tactic_id_count >= 3 and source_count >= 4
The risk incident rule Risk Threshold Exceeded for Object Over 24 Hour Period searches the risk index and aggregates risk scores by object and creates risk events when the risk score for an object exceeds 100 over the last 24 hours. For example, if an object has eight related events, each with a calculated risk score, the search adds all the eight scores together. This default risk incident rule has a default setting of a 24-hour search window.
| tstats `summariesonly` sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count,values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk by All_Risk.risk_object,All_Risk.risk_object_type | `drop_dm_object_name("All_Risk")` | eval "annotations.mitre_attack"='annotations.mitre_attack.mitre_technique_id', risk_threshold=100 | where risk_score > $risk_threshold$ | `get_risk_severity(risk_score)`
Search for the default risk incident rules
Follow these steps to search for the default risk incident rules in Splunk Enterprise Security:
- In the Splunk Enterprise Security app, navigate to Content > Content Management.
- Set the Type filter to Correlation Search.
- Set the App filter to SA-ThreatIntelligence.
- Search for Risk in the search bar.
Customize the default risk incident rules
You can also customize these risk incident rules and edit them to change specific conditions based on your security environment.
For example, in the risk incident rule Risk Threshold Exceeded for Object Over 24 Hour Period, you can increase the risk score threshold by 200 instead of 100 over the last 24 hours if that works for your environment.
See also
For more information about how best to use risk incident rules in your security environment, see the product documentation.
| Run risk incident rules in Splunk Enterprise Security | Risk notables in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.2
Download manual
Feedback submitted, thanks!