Increase risk factors to identify unauthorized usage
This is the fourth step in the Isolate user behaviors that pose threats with risk-based alerting scenario.
When Ram used Splunk Enterprise Security versions lower than 6.4, Ram took multiple steps to adjust risk scores and track anomalous behavior from high risk users. With Splunk Enterprise Security versions 6.4 and higher, Ram creates risk factors to multiply or reduce the risk associated with specific users.
Ram uses risk factors to dynamically adjust risk scores based on the behavior of high risk users.
Organizations might have high risk users due to any of the following reasons:
- A reduction in workforce
- Work on a sensitive project
- Employee being put on a performance improvement plan (PIP).
Before Splunk Enterprise Security version 6.4
Earlier, Ram used the eval
command to dynamically adjust the risk scores to create meaningful risk scores based on the user information in the Active Directory of Buttercup Games as follows:
- Ram raised the risk scores by 20 for users with specific job titles such as CEO, CFO, COO, and Executive Vice President using the following search:
| eval risk_score = if (in (user_prop, "CEO", "CFO", "COO", "Executive Vice President"), risk_score + 20, risk_score)
-
The, Ram raised risk scores by 10 based on whether the total high value file count is greater than 1 but less than or equal to 50 using the following search:
| eval risk_score = if (total_hvf >= 1 AND total_hvf <=50, risk_score +10, risk_score)
Though the eval
command helped Ram to modify risk scores based on specific criteria, Ram had to create multi-step SPL searches, which was not the most optimal use of time.
After Splunk Enterprise Security version 6.4
After upgrading to Splunk Enterprise Security version 6.4, Ram uses the Risk Factor Editor to dynamically adjust risk scores . Now, Ram multiplies or reduces the risk score based on the characteristics of the specific asset or identity by selecting specific conditions using the Risk Factor Editor. This helps Ram to surface suspicious behavior based on field values in the risk index without creating new searches. For example: Ram increases the risk score by a factor of two on a laptop that belongs to a director at Buttercup Games.
Alternatively, Ram can also customize to adjust the risk scores in the network environment by using the default risk factors in Splunk Enterprise Security to experiment with assigning risk effectivley. All risk factors though disabled are automatically displayed on the Risk Factor Editor. So, Ram can use the default High Priority User risk factor to increase the risk score for high priority users. So, if the value of the user_priority
field is "high", Ram sets the the risk factor to multiply by 1.25.
Next step
Use the Risk Analysis dashboard to monitor high risk user behavior
See also
For more information on risk factors, see the product documentation:
Modify risk scores using the where command | Use the Risk Analysis dashboard to monitor high risk user behavior |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.2
Feedback submitted, thanks!