Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

How risk objects impact risk scores in Splunk Enterprise Security

A risk object refers to any asset, identity, user, or device in your security environment that can be used by Splunk Enterprise Security to identify potential security threats. As an administrator, you can create risk objects to categorize anything to which you assign a risk score. For example, you might categorize a laptop as a system risk object type and an identity as a user risk object type.

When a risk object generates an event that is a potential threat, the risk modifier associated with the risk object increases the risk score of the object. When a risk incident rule finds a risk object associated with several risk events, the risk incident rule creates risk notables in Splunk Enterprise Security.

Only a few key fields create a risk notable, which include: risk_object and risk_object_type fields.

Risk object field

The risk_object field is a reference to a search field returned by a correlation search. Correlation searches use fields such as src and dest to report on matching results. The risk_object field represents a system, host, device, user, role, credential, or any object that the correlation search reports on.

Risk object types

If a risk object matches an object in the asset or identity table, Enterprise Security maps the object as the associated type. For example, an object that matches an asset in the asset lookup maps to the system risk object type. However, devices and users do not appear in the corresponding asset and identity tables to identify as system or user risk objects. ES categorizes undefined or experimental object types with a risk object type of Other.

Splunk Enterprise Security defines the following risk object types.

Object type Description
System Network device or technology. Can represent a device in the asset lookup.
User Can represent an identity such as a network user, credential, or role in the identity lookup.
Hash values Numeric value of a fixed length that uniquely identifies large amounts of data. Used with digital signatures.
Network artifacts Provides significant clues about any unauthorized access by unauthorized entities in a network.
Host artifacts Events caused by adversary activities on one or more hosts, such as registry keys or values known to be created by specific pieces of malware, files, or directories.
Tools Software used by attackers to accomplish their mission.
Other Any undefined object in a data source field.

Example: Reset a risk score for a risk object

You can reset a risk score for an object but with certain limitations.

Consider a scenario where the correlation searches generate many notables for an infected system, which leads to a high risk score. Despite re-imaging, the system still has the same IP address or host name. This requires you to reset the risk score to zero as if it's a new system.

If the host is 192.0.2.2 with a 480.0 risk score, you only have the following options to change the risk score to zero because risk scores contain a time component:

  • Change the time range picker from the default, which changes the risk score. You might see no results for this host if you change the time range to Last 15 minutes. The score is zero if no events get created in that time frame. This does not reset the score, but helps you verify the new risk score, if you know the time frame of when you re-imaged the system.
  • Create an ad-hoc risk entry with a risk score of -480. However, this is dependent on the time frame. This also does not reset the score. If your ad-hoc risk entry is outside the time window of the event, then the negative offset does not apply, and the object has a score of -480. See Create an ad hoc risk entry in Splunk Enterprise Security.

See also

For more information about how risk objects are associated with risk modifiers and impact risk scores, see the product documentation.

How risk-based alerting works in Splunk Enterprise Security

How risk modifiers impact risk scores in Splunk Enterprise Security

Modify a risk score with a risk modifier in Splunk Enterprise Security

Prioritize threat objects over risk objects in risk incident rules

Last modified on 21 November, 2023
How to create risk notables using Splunk Enterprise Security   Create risk and edit risk objects in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters