Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Isolate user behaviors that pose threats with risk-based alerting

Ram, a security analyst at Buttercup Games, tracks user behavior and maintains the hygiene of Buttercup Games' security operations center (SOC) by monitoring the accounts, their purpose, and their expected usage. Certain users or systems in Ram's security environment pose a higher risk to your organization than others.

For users, this might be due to an impending termination, a history of security incidents, or the prominence of a particular individual, thereby increasing the likelihood of the user falling victim to attack. To mitigate this risk, Ram can place a user on a Watchlist. This is similar to tagging a restricted asset and can trigger alerts due to the increased risk associated with that particular user. Ram can also prioritize users based on their role or department such as whether they are a C-suite Executive or an assistant. User behaviors that represent insider security threats include compromised user credentials and misuse by privileged users.

Ram can also prioritize systems based on their exposure to vulnerabilities such as internet facing applications or a DMZ network, which refers to an organization's exposed, outward-facing un-trusted services. Systems in production can also be more at risk as opposed to development systems.

Ram identifies all high-priority accounts that typically have administrative privileges and executive-level authority. By identifying high-priority accounts, Ram can prevent unauthorized users from misusing the accounts that can access the sensitive and confidential assets of Buttercup Games.

Without risk-based alerting

Prior to using Splunk Enterprise Security, Ram must wait for a reported issue and then, identify how to remove the data from the impacted device.

  1. First, Ram must decide whether to get the device shipped or run an onsite forensic imaging.
  2. Then, Ram prepares a report on the findings.
  3. Finally, Ram partners with various teams to respond to the insider threat.

Though Ram has effective partnerships with other departments and a response plan, Ram realizes that automating the process can increase efficiency.

In addition, Ram's work is impacted by the following constraints:

  • The size of the SOC at Buttercup Games makes it impossible for Ram to maintain all the records such as when an account got created, when an account became dormant, shared accounts between individuals, or if an account is a service account.
  • Additionally, constantly evaluating multiple security tools and struggling with the massive alert volume makes it difficult to quickly identify unauthorized user behavior.
  • Finally, the risk of insider threat from company employees has significantly increased due to remote work and greater access to data from anywhere in the world.

With risk-based alerting

Instead of waiting for insider threat reports, Ram decides to proactively use risk-based alerting for existing data in the SOC to efficiently track account activity and monitor user behaviors to protect the business.

Follow these steps to see how Ram uses risk factors based on risk scores to identify unauthorized usage by insiders that pose a security threat to the SOC of Buttercup Games.

  1. Track high risk behavior using lookups
  2. Assign risk scores to high risk users
  3. Modify risk scores using the where command
  4. Increase risk factors to identify unauthorized usage
  5. Use the Risk Analysis dashboard to isolate user behaviors
  6. Investigate the risk notables using Threat Topology visualization
Last modified on 25 April, 2023
Investigate risk notables that represent a threat   Track high risk behavior using lookups

This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters