Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Modify risk scores using the where command

This is the third step in the Isolate user behaviors that pose threats with risk-based alerting scenario.

After adjusting the risk scores for high risk users, Ram uses the where command, which uses eval-expressions to filter search results based on risk scores. This helps Ram modify risk scores based on specific search criteria and fields in the network environment. With the where command, Ram can set the risk threshold and filter the alert noise by customizing risk-based alerting. In this example, Ram filters all entities that have a risk score of less than 75 and a high risk file count of less than 100.

Ram can now investigate specific user behaviors that might indicate malicious insiders using data exfiltration for unauthorized data transfer from their computer. Ram can also track whether a high risk user deleted more than 100 files and score risk objects based on specific fields that map to an insider threat MITRE tactic or technique. Ram can now determine whether a specific user or behavior requires further investigation.

| where (risk_score >= 75 AND total_hvf >=10 AND (tactic_exfil_value >= 100 OR tactic_delete_value >= 100))

To summarize, Ram uses risk-based alerting to build robust risk incident rules that populate the risk index and target high risk users that helps to save energy and resources for the security operations center (SOC). In this example, Ram uses the eval statements to establish the average risk score and the standard deviation from that risk score. Ram uses the stats command to identify fields and determine exfiltration. The where command helps Ram to reduce false positives.

Index = risk |lookup high_risk_user.csv user as user OUTPUT hru_status notes date_added | search hru_status="active" | eval risk_score = if (in(user_prop, "CEO", "CFO", "COO", "Executive Vice President") risk_mod_count+20,risk_score) |eval risk_score = if (total_hvf >=1 AND total_hvf<=50, risk_mod_count+10, risk_score) |eval aa_tactic_exfil_value = case (aa_tactic == "Exfiltration", aa_tactic == "Collection", "0", aa_tech == "Data_Destruction", "0") |eval aa_tactic_delete_value = case (aa_tactic == "Exfiltration", "0", aa_tactic == "Collection", "0", aa_tech == "Data_Destruction", "1") |eventstats avg(risk_score) as avg_risk stdev(risk_score) as stdev_risk |stats dc(file) as file_count sum(hvf) as total_hvf values(aa_tactic) as aa_tactic values (aa_tech) as aa_tech by user |where (risk_score >=75 AND total_hvf >=10 AND (tactic_exfil_value >= 100 OR tactic_delete_value >= 100))

Next step

Increase risk factors to identify unauthorized usage

See also

For more information on the where command, see the product documentation:

The where command in the Splunk Cloud Services SPL2 Search Reference.

Last modified on 02 June, 2023
Assign risk scores to high risk users   Increase risk factors to identify unauthorized usage

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters