Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Add a risk message and a risk score to a notable

This is the fifth step in the Isolate threats with risk-based alerting scenario.

Ram adds a risk message and a risk score to the notable event that represents a threat by creating an adaptive response action. These adaptive response actions help to gather more information, take an action in another system, send information to another system, modify a risk score, and so on. Adding a custom risk message helps Ram to build detections based on specific information, such as risk scores, instead of merely relying on the Risk Analysis data model schema.

  1. From a risk notable event, Ram selects the arrow to expand the Actions column and selects Run Adaptive Response Actions.
  2. Ram selects Add New Response Action and selects the Risk Analysis adaptive response action from the dropdown list to create risk modifier events in the risk index.
  3. Ram enters the following risk message, Possible Bypass of User Account Controls.
    The following screenshot displays how to configure a risk message as an adaptive response action in the Correlation Search Editor. This image displays displays how to configure a risk message as an adaptive response action in the Correlation Search Editor.
  4. Ram also adds a risk modifier by populating the following fields:
    • Risk Score
    • Risk Object Field
    • Risk Object Type
  5. Ram selects Run to run the adaptive risk action on the notable.

Next step

Adjust risk scores for specific objects

See also

For more information on risk messages, see the product documentation:

Create a risk message to add context for investigations

Last modified on 02 June, 2023
Classify risk objects based on annotations   Adjust risk scores for specific objects

This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters