Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

How to create risk notables using Splunk Enterprise Security

Risk rules are correlation searches that generate risk. A risk incident rule is a correlation search that generates a risk notable.

RBA uses risk incident rules instead of typical correlation searches to generate risk notables so that alerting corresponds to the magnitude of the risk associated with the risk object.

A typical correlation search scans multiple data sources only for defined patterns and performs an adaptive response action when it finds the pattern. For more information on standard correlation search, see Correlation search overview in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual.

A risk incident rule reviews the events in the risk index and uses an aggregation of events impacting a single risk object to generate risk notables: Risk incident rules review the risk index for anomalous events and threat activities. When the risk incident rules find a risk object associated with several risk events, the risk incident rules create risk notables in Splunk Enterprise Security. When the risk scores associated with the risk notables surpass a specified threshold over a period of time, analysts focus their efforts on connected behaviors associated with the risk notable. The aggregated risk score of an asset or identity is the sum of all the risk scores for risk events in the risk index that apply to the specific asset or identity over a period of time.

In addition to a base detection search, risk incident rules can also include MITRE enrichment data such as:

  • Tactic_Name
  • Tactic Number
  • Technique
  • Technique Reference

For example:

Following is an example of a risk incident rule with MITRE enrichment data:

RR-credential_access - T1098 - Account Manipulation-https://attack.mitre.org/techniques/T1098/

You can also use the default risk incident rules available in Splunk Enterprise Security Content Updates (ESCU) or Splunk Security Essentials (SSE).

Adding a risk message also provides additional context that analysts can use during their triage process. The Risk Message field tells the story of what is happening to the user or system and helps to determine if the risk object is a risk notable for risk analysis.

Following are some examples of risk incident rules that might generate useful risk notables:

  • 7 day ATT&CK Tactic Threshold Exceeded: A default risk incident rule that generates risk notables when a threshold for MITRE ATT&CK tactics is exceeded over a seven day period.
  • 24 hour Risk Threshold Exceeded: A default risk incident rule that generates risk notables when a threshold for risk score is exceeded over a 24 hour period.
  • 24 hour ATT&CK Tactic Threshold Exceeded: A risk incident rule that generates risk notables when a threshold for MITRE ATT&CK tactics is exceeded over a 24 hour period.
  • 7 day Risk Threshold Exceeded: A risk incident rule that generates risk notables when a threshold for risk score is exceeded over a 7 day period.
  • Anomalous Risk Score Within an Identity Category: A risk incident rule that generates risk notables when a user displays risk scores of more than two standard deviations over their peers.
  • Anomalous Risk Score Within an Asset Category: A risk incident rule that generates risk notables when a system displays risk scores of more than two standard deviations over peer systems.
  • Anomalous Score Trend for a Role: A risk incident rule that generates risk notables when there is a significant percentage increase in risk score for a specific user role.
  • Anomalous Score Trend for an Asset Category: A risk incident rule that generates risk notables when there is a significant percentage increase in risk score for a specific asset category.
  • Anomalous Score Trend for Threat Object Type: A risk incident rule that generates risk notables when there is a significant percentage increase in risk score for a specific type of threat object.
  • Threat Object Observed Across a Number of Risk Objects: A risk incident rule that generates risk notables when a threat object is observed for the first time across a small number of risk objects.
  • Status Impact Accuracy KPIs: A risk incident rule that generates risk notables when the status, impact, and accuracy of key performance indicators of an organization are impacted.
  • Mean time to resolution (MTTR): A risk incident rule that generates risk notables when the threshold for the mean time to resolution is exceeded.

See also

For more information about risk based correlation searches, see the product documentation.

How risk-based alerting works in Splunk Enterprise Security

Default risk incident rules

Create a risk message to add context for investigations

Risk notables in Splunk Enterprise Security

Last modified on 03 May, 2023
How risk scores work in Splunk Enterprise Security   How risk objects impact risk scores in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters