Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Assign risk through a search in Splunk Enterprise Security

You can assign risk using search rather than an alert. You can do this to modify risk on multiple risk objects, or to alter the risk score of an object based on the results of a search.

Use these search examples to assign risk to a user, system, or other risk object in a custom correlation search. To assign risk to a single field, or on an ad hoc basis, use the risk adaptive response action instead. See Configure adaptive response actions for a correlation search in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual for a list of included adaptive response actions.

Each example uses ... to indicate a search that includes the field to which you want to assign risk in the results.

Assign risk with the appendpipe command

Use the appendpipe command to add risk to multiple objects. Replace <your_risk_score_integer> with the risk score that you want to apply to the fields.

... | eval risk_score=<your_risk_score_integer> | eval risk_object=if(isnotnull(dest),dest,null()),risk_object_type=if(isnotnull(dest),"system",null()) | appendpipe [| eval risk_object=if(isnotnull(user),user,null()),risk_object_type=if(isnotnull(user),"user",null())] | sendalert risk param._risk_score=<your_risk_score_integer>

For example, run this search to assign a risk score of 15 to mysystem destination and myuser user.

| makeresults | eval dest="mysystem", user="myuser" | eval risk_object=if(isnotnull(dest),dest,null()),risk_object_type=if(isnotnull(dest),"system",null()) | appendpipe [| eval risk_object=if(isnotnull(user),user,null()),risk_object_type=if(isnotnull(user),"user",null())] | sendalert risk param._risk_score=15

Assign risk with the sendalert command

You can use the sendalert command without the appendpipe command to assign risk directly to field values, without performing conditional evaluations of the field values.

... | sendalert risk param._risk_object_type="system" param._risk_score=<your_risk_score_integer> | eval risk_object=user | sendalert risk param._risk_object_type="user" param._risk_score=<your_risk_score_integer>

For example:

| makeresults | eval dest="mysystem", user="myuser" | sendalert risk param._risk_object=dest param._risk_object_type="system" param._risk_score=15 | sendalert risk param._risk_object="user" param._risk_object_type="user" param._risk_score=20

Compute and assign a risk score

You can also set a risk score based on a calculation performed in the search, rather than setting it to a static integer.

For example, if you want to set a higher risk score for users that log into multiple infected assets, write a search that collects the users that logged in to infected assets, then counts the users in the results, and splits the results by user so that you see the login attempts by user.

... | stats count by user | eval risk_score=(count*2) | sendalert risk param._risk_object=user param._risk_object_type="user" param._risk_score=risk_score

For example, the Threat Activity Detected correlation search uses search-assigned risk in addition to an alert-type risk modifier. When the search finds events in the Threat_Activity data model, the search modifies the risk score to the Weight field in the data model if it exists, otherwise setting the risk score to 60.

In this case, the risk modifier reflects the number of times the system or user communicated with the threat list, multiplied by the weight of the threat list. 

This results in the following formula: risk score of a system or user + (threat list weight x event count) = additional risk.

... | eval risk_score=case(isnum(record_weight), record_weight, isnum(weight), weight, 1=1, null()) | fields - *time | eval risk_object_type=case(threat_match_field="query" OR threat_match_field=="src" OR threat_match_field=="dest","system",threat_match_field=="src_user" OR threat_match_field=="user","user",1=1,"other") | eval risk_object=threat_match_value

See also

For more information about how best to assign risk in your security environment, see the product documentation.

How to assign risk in Splunk Enterprise Security

Last modified on 06 March, 2023
Create an ad-hoc risk entry to adjust risk scores in Splunk Enterprise Security   Run risk incident rules in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters