Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Risk notables in Splunk Enterprise Security

Risk notables are automatically generated when you run a risk incident rule, which associates risk scores with a system, user, or other risk objects.

Fields in a risk notable

The Risk Analysis adaptive response action applies a few key fields from the Risk Analysis framework to create a risk notable.

Search results from risk incident rules must contain the following key fields to create risk notables:

Field Description Required/Optional?
Risk object Any entity that represents potential security threats such as an asset, identity, user, or device tracked by Splunk Enterprise Security. Required
Risk object type The risk object identifier, which can be a system, user, or a custom value. Required
Risk score A number that represents the risk level of a specific risk object. Risk events have a default score that you can modify using risk factors. Required
Risk Event count The total number of risk events associated with the notable event. The notable search calculates this value. Required
Risk message A unique message to describe the risk activity, which can use fields from the risk event surrounded by "$". For example: Suspicious Activity to $domain$ Optional
Threat Object Deviant behavior patterns of a risk object or entity, which indicate a security breach. For example: The Domain threat object tracks the behavior of the domain across all risk objects. Optional
Threat Object Type Identified the threat object such as domain, URL, IP address, file hash, command line, or process name. Optional

The following fields exist in the notable adaptive response action, but are not required in the risk incident rule search results:

Field Description
drilldown_earliest The start time used to identify the contributing events for the risk notable. This value is automatically populated using the info_min_time in the notable framework.
drilldown_latest The end time used to identify the contributing events for the risk notable. This value is automatically populated using the info_max_time in the notable framework.
drilldown_search The search used to identify the contributing events for the risk notable. This search must return a calculated_risk_score field. The calculated_risk_score field is common to the Risk data model.

You can access the field drilldown_search from the correlation search editor for the risk notable. You can also customize the drilldown_search field to enter the contributing events that creates a risk notable and populates the Risk Event Timeline.

In addition to analyzing the risk notables, other factors that might help to identify threat include:

  • Number of risk events
  • Specific risk incident rules that generate the risk notables
  • Number of events triaged using security orchestration automation and response (SOAR)
  • Number of events remediated using SOAR

Difference between a notable and a risk notable

A notable is an event generated by a correlation search as an alert. A notable includes custom metadata fields to assist in alert investigation and track event remediation.

Risk notables are notable events with risk scores that get created automatically when a risk incident rule associates a risk score with a risk object.

Verify a notable is a risk notable

Follow these steps to verify that a notable is a risk notable:

  1. On the Incident Review page, expand the correlation search associated with the notable.
  2. Check if the search contains the Risk Score field. For example: Risk Score:1285.0.
  3. Under Event Details, check if the eventtype field contains the tag: risk_notables

Risk notables from the same risk object

Risk objects correspond to assets and identities. However, sometimes the same assets and identities might have different display names. For example, the following three display names represent an email address that belongs to a single user. Each risk object has a specific number of contributing risk events associated with it.

  • rob has 5 contributing risk events
  • rob@splunk.com has 4 contributing risk events
  • rob@splunk has 2 contributing risk events

The normalized_risk_object field in Splunk Enterprise Security gets assigned to risk events so that correlation searches can group together the risk events that correspond to the same asset or identity. Risk incident rules create risk notables when they exceed a certain risk threshold. Risk events with matching normalized risk objects are often grouped together by Splunk Enterprise Security and as a result, the risk based alerting framework sees them as a single entity.

The risk object that appears most frequently is the risk object that gets displayed to the user for the notable. However, the normalized risk object is used to calculate risk scores. Risk score calculation is based on the first element that is listed on the Asset and Identity lookup for that entity. Risk scores are not calculated based on the risk object that is displayed most frequently.

In this example, all three risk objects get displayed as rob even though they map to the same identity, which is the email address of a user named Rob. Thus, the total risk score of a risk notable depends on all the contributing risk events associated with the same normalized risk object, which is higher. This increases the likelihood that the risk incident rule creates true positive risk notables based on behaviors associated with a single risk object (asset or identity) and helps to detect threats during investigations.

If risk objects that represent the same asset or identity don't get grouped together, the risk they represent might get overlooked because they do not exceed the risk threshold that creates risk notables. However, if the risk objects that represent the same asset or identity get normalized and grouped together, connected behaviors that indicate threat become more visible.

Risk notables enriched by entity zones

Entity zones help distinguish between risk objects that might be mapped to the same asset and identity by providing context to the risk events through additional information such as geographic location, source, destination, and so on. For example, you might configure different entity zones for the same username or identity based on different departments within the same organization. Similarly, you might configure different entity zones for the same IP address or asset based on two different locations such as San Jose and San Francisco. Entity zones provide enrichment and help to evaluate the risk associated with the risk event and the risk object more effectively to surface true positives.

Risk incident rules create risk notables when they exceed a certain risk threshold. If the risk objects such as IP addresses based in San Jose and San Francisco, get grouped together without the additional context provided by entity zones, their combined risk score can exceed the risk threshold. This creates a higher volume of risk notables that might not have any real risk associated with them, when evaluated individually. Additional context provided by entity zones helps to reduce the alert volume.

The normalized_risk_object field in Splunk Enterprise Security gets assigned to risk events so that correlation searches can group together the risk events that correspond to the same asset or identity along with the additional context provided by the entity zones.

For more information on using entity zones to add context to risk notables, see Review risk notables enriched by entity zones.

See also

For more information about risk notables and RBA, see the product documentation.

Review risk notables to identify risk in Splunk Enterprise Security

Analyze risk events using the Risk Timeline in Splunk Enterprise Security

Analyze the risk events associated with a risk notable in Splunk Enterprise Security

Analyze risk notables using Threat Topology in Splunk Enterprise Security

Last modified on 12 April, 2023
Default risk incident rules in Splunk Enterprise Security   Review risk notables to identify risk in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters