Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Troubleshoot common issues with risk-based alerting

Following are some common issues that you might see when using risk-based alerting in Splunk Enterprise Security:

Risk index does not populate

Issue

The risk index index=risk does not generate risk events even after you have enabled the risk rules and the risk analysis adaptive response action.

Cause

  • SPL for the risk rule is incorrect
  • Risk rules are searching an empty repository
  • Excessive number of risk rules which are not enabled

Solution

  • Verify the SPL of your risk rules.
  • Enable risk rules that might initially generate numerous events. Enabling the risk rules and generating risk events allows you to interact and adjust the risk rules.

Excessive number of risk notables

Issue

Too many risk notables that do not represent high fidelity alerts.

Cause

Excessive risk associated with some risk incident rules can generate excessive risk notables.

Solution

Adjust risk incident rules, threat objects, and risk notables so that they are meaningful to security analysts.

  1. In the Risk Analysis dashboard, navigate to the Most Active Sources to analyze the risk incident rules as follows:

    | tstats summariesonly=false sum(All_Risk.calculated_risk_score) as risk_score,dc(All_Risk.risk_object) as risk_objects,count FROM datamodel=Risk.All_Risk WHERE * All_Risk.risk_object_type="*" (All_Risk.risk_object="*" OR risk_object="*") BY source | sort 1000 - count,risk_score

    Using this search, identify the specific combinations of field values that contribute more risk than necessary.

    For example, a risk incident rule for Endpoint Detection and Response (EDR) that generates multiple alerts indicates a high level of risk. However, a single alert generated by a risk incident rule for HTTP POST to Potentially Suspicious Domain might not represent similar risk. Thus, the analyst must use their judgement to determine whether to use allow lists or adjust the risk score, or both.

  2. Analyze the threat objects associated with the noisiest risk incident rule as follows:

    | tstats sum(All_Risk.calculated_risk_score) as score_sum,values(All_Risk.calculated_risk_score) as score,dc(All_Risk.risk_object) as risk_objects,count FROM datamodel=Risk.All_Risk WHERE source="Threat - RR - Name of Our Noisy Rule - Rule" BY All_Risk.threat_object | sort - score_sum

    Using this search, identify the specific combinations of field values that contribute more risk than necessary.

Last modified on 30 March, 2023
Troubleshoot upgrade issues with risk factors   Isolate threats using risk-based alerting

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters