Assign risk using risk modifiers in Splunk Enterprise Security

Use risk scores to identify the risk associated with the entities in your security environment by capturing and aggregating the activities of the entities into a single metric using risk modifiers.

Assign risk to event-based detections by configuring risk modifiers

Assign risk to event-based detections by configuring risk modifiers using risk scores, entities, and entity types in the detection editor. You can also add a risk message to provide context for the analyst during investigations. For example, you can assign a risk score of 20 to successful HTTP POST events that indicate that the client's request was successfully received, understood, and accepted. You can assign a risk score of 0 for failed HTTP POST events since these are actions that were not performed. Successful POST operation indicate that a user probably submitted a password to credential phishing or submitted other information that is confidential. If the POST operation fails, there is no risk.

Similarly, you can assign a lower risk score to commands such as systeminfo, ipconfig, or netstat but still track them as a possible malicious event that might later become a risk-based finding.

Risk messages are unique messages to describe the risk activity and can use fields, with a syntax of $example$, from the event such as: Suspicious Activity to $domain$. Risk messages can help deliver context that is relevant to a detection, such as a user agent so that you don't need to only rely on the Risk Analysis data model schema.

Follow these steps to assign risk to a detection:

1. In the Splunk Enterprise Security app, select the Security content tab.
2. Select Content management.
3. Select +Content and then select Detection to specify the type of detection that you want to create. For example, select Event-based detection.
4. Select Submit to open the detection editor.
5. In the Edit event-based detection editor, go to Assign risk.
6. In the Risk message field, enter a risk message. For example, "Possible Bypass of User Account Controls".
   You can also add custom fields to the risk message using the $variable$ format. For example, the instance of $parent_process_name$spawning$process_name$ is an attempt to add a certificate to the store on endpoint $dest$ by user $user$.
7. Add the risk modifiers by populating the following fields:
   • Risk Score: Enter an integer in the Risk Score field to assign a value to the entity.

     You can assign event-based detections a risk score of 0 to group findings based on a user or system rather than a risk score alone. The Entity type field indicates if the finding group is grouped by a user or by a system. If neither a user or system is detected, grouping occurs based on the entity or the risk object.

   • Entity: Enter the name of a field that exists in the detection search to apply the risk score to the field.
     For example, enter src to select the source field.
   • Entity type: Enter the name of an entity type to select whether the entity is a system, user, or other. For example, enter host_artifacts for an asset.
   You can add multiple risk modifiers, by selecting +Add risk modifier.
8. Select Save.

Add threat objects as a risk modifier to event-based detections

Add a threat object to correlate the behavior or activity of an entity in the risk modifiers created by your detections. Threat objects are any behaviors of an entity that you want to store. Threat objects can include file directories, interactions that you want to track, domain names, command lines, IP addresses, registry keyes, filenames, and so on. Threat objects provide a broader perspective of the security environment because of their interactions with the entity. Threat objects are better indicators for tracking suspicious behaviors or activities.

Follow these steps to add a threat object as a risk modifier to a detection:

1. In the Splunk Enterprise Security app, select the Security content tab.
2. Select Content management.
3. Select +Content and then select Detection to specify the type of detection that you want to create. For example, select Event-based detection.
4. Select Submit to open the detection editor.
5. In the Edit event-based detection editor, go to +Assign risk.
6. Select +Add threat object to add a threat object.
7. In the Threat object field, enter the threat object field in the detection. For example: payload
8. In the Threat object type field, enter the type of the threat object. For example: file_hash
9. You can add multiple threat objects, by selecting +Add threat object.
10. Select Save.

Use risk scores as an input type for finding-based detections to display risk-based findings

Use risk scores as an input type for finding-based detections to display high confidence findings based on risk so that you can reduce alert volume and focus only on findings that might represent a security threat.

Follow these steps to use risk scores as an input type for finding-based detections to display high confidence findings:

1. In the Splunk Enterprise Security app, go to Configure.
2. Select Content, and then select Content Management.
3. Select +Content and then select Detection to specify the type of detection that you want to create.
4. Select Finding-based detection to create a detection based on a high-confidence finding group around a given entity, behavior, or activity, which indicates a security incident.
5. Select Submit to open the detection editor.
6. In the Create finding-based detection editor, go to the Finding input type panel and select a Group type to combine the findings from the detection search results into high confidence finding groups.
7. In the Edit finding-based detection editor, select Cumulative entity risk to group your findings into finding groups based on risk score. Selecting this option lets you create a finding group when findings reach a risk score threshold for an entity.
8. Specify the risk score threshold by identifying a numerical risk score value against the "is greater than" option.

Modify risk scores by manually creating a risk entry

Manually create a risk entry to make a one-time adjustment to an entity's risk score. You can use manually created risk entries to add a positive or negative number to the risk score of an object. Add a manually created risk entry to neutralize risk manually or as part of an automation when you close a finding.

Follow these steps to create a manual risk entry:

1. In the Splunk Enterprise Security app, select Analytics.
2. Select Security Intelligence, and then select Risk analysis.
3. Select Create ad-hoc risk entry.
4. Complete the form.
5. Select Save.

Modify risk scores by modifying the SPL of detections

Modify risk scores on multiple entities by modifying the search processing language (SPL) query of detection searches. Use these search examples to assign risk to a user, system, or other entity in a custom detection.

The example uses ... to indicate a search that includes the field to which you want to assign risk in the results.

Assign risk using the sendalert command

You can use the sendalert command without the appendpipe command to assign risk directly to field values, without performing conditional evaluations of the field values.

... | sendalert risk param._risk_object_type="system" param._risk_score=<your_risk_score_integer> | eval risk_object=user | sendalert risk param._risk_object_type="user" param._risk_score=<your_risk_score_integer>

For example, run the following search:

| makeresults | eval dest="mysystem", user="myuser" | sendalert risk param._risk_object=dest param._risk_object_type="system" param._risk_score=15 | sendalert risk param._risk_object="user" param._risk_object_type="user" param._risk_score=20

See also

For more information on risk-based alerting in Splunk Enterprise Security, see the product documentation.

• Risk analysis dashboard in the Use Splunk Enterprise Security manual.
• Create finding-based detections in Splunk Enterprise Security
• Risk scoring in Splunk Enterprise Security
• Modifying risk using risk modifiers in Splunk Enterprise Security