Splunk® Enterprise Security

Administer Splunk Enterprise Security

Review risk-based findings in Splunk Enterprise Security

Findings or finding-groups based on risk are generated when you run a finding-based detection.

Evaluate the risk associated with findings using the following methods:

Review the fields in a risk-based finding

Risk-based findings associate risk scores or other relevant security metadata with a system, user, or other entities. The following fields in risk-based finding or finding groups are important for identifying threat:

Field Description Required/Optional?
Entity Any object that represents potential security threats such as an asset, identity, user, or device tracked by Splunk Enterprise Security. Required
Entity type Type identifier for the entity, which can be a system, user, or a custom value. Required
Risk score A number that represents the risk level of a specific entity. Risk events have a default score that you can modify using risk factors. Required
Risk event count The total number of events associated with the finding. Required
Risk message A unique message to describe the risk activity, which can use fields from the event using the $event$ syntax. For example: Suspicious Activity to $domain$ Optional
Threat object An interaction or behavior associated with the entity. For example: The Domain threat object tracks the behavior of the domain across all entities Optional
Threat object type Identifies the type of threat object such as domain, URL, IP address, file hash, command line, or process name. Optional

The following fields might also exist in the finding and might be useful to identify risk:

Field Description
drilldown_earliest The start time used to identify the contributing events for the finding. This value is automatically populated using the info_min_time in the notable framework.
drilldown_latest The end time used to identify the contributing events for the finding. This value is automatically populated using the info_max_time in the notable framework.
drilldown_search The search used to identify the contributing events for the finding. This search must return a calculated_risk_score field. The calculated_risk_score field is common to the risk data model.

You can access the field drilldown_search from the finding-based detection editor for the finding. You can also customize the drilldown_search field to enter the contributing events that creates a finding and populates the Timeline visualization.

In addition to analyzing the risk-based findings or finding groups, other factors that might help to identify threat include:

  • Number of events
  • Specific finding-based detection that generate the findings
  • Number of events triaged using security orchestration automation and response (SOAR)
  • Number of events remediated using Splunk SOAR

Review the findings from the same entity

Surface high risk findings that come from the same entity so that you can investigate connected behaviors and threats.

Entities correspond to assets and identities. However, sometimes the same assets and identities might have different display names. For example, the following three display names represent an email address that belongs to a single user. Each entity has a specific number of contributing events associated with it.

  • rob has 5 contributing risk events
  • rob@splunk.com has 4 contributing risk events
  • rob@splunk has 2 contributing risk events

The normalized_risk_object field in Splunk Enterprise Security gets assigned to events so that the detections can group together the events that correspond to the same asset or identity. Event-based detections create findings when they exceed a certain risk threshold. Events with matching normalized entities are often grouped together by Splunk Enterprise Security and as a result, the risk-based alerting framework sees them as a single entity.

The entity that appears most frequently is the entity that gets displayed to the user for the finding. However, the normalized entity is used to calculate risk scores. Risk score calculation is based on the first element that is listed on the Asset and Identity lookup for that entity. Risk scores are not calculated based on the entity that is displayed most frequently.

In this example, all three entities get displayed as rob even though they map to the same identity, which is the email address of a user named Rob. Thus, the total risk score of a finding depends on all the contributing events associated with the same normalized entity, which is higher. This increases the likelihood that the risk-based finding creates true positive findings based on behaviors associated with a single entity and helps to detect threats during investigations.

If entities that represent the same asset or identity don't get grouped together, the risk they represent might get overlooked because they do not exceed the risk threshold that creates findings. However, if the entities that represent the same asset or identity get normalized and grouped together, connected behaviors that indicate threat become more visible.

Follow these steps to surface high risk findings that come from the same entity so that you can investigate connected behaviors and threats:

  1. Configure the entity_type field correctly so that Splunk Enterprise Security can normalize the assets and identities and group their events accurately.
    • Ensure that the entity_type field of the event is a system so that Splunk Enterprise Security associates the entity of a user's event with an asset.
    • Ensure that the entity_type field of the event is a user so that Splunk Enterprise Security associates the entity of a system's event with an identity.
  2. Navigate to the Search page and search for index = notable to view the normalized entity associated with a finding.
  3. Navigate to the Mission Control page and expand the finding to view the most frequent entities from all the contributing events grouped together.

Review the findings enriched by entity zones

Surface high risk findings based on entity zones so that you can investigate threats effectively based on the additional context provided by the entity zones.

Entity zones help distinguish between entities that might be mapped to the same asset and identity by providing context to the events through additional information such as geographic location, source, destination, and so on. For example, you might configure different entity zones for the same username or identity based on different departments within the same organization. Similarly, you might configure different entity zones for the same IP address or asset based on two different locations such as San Jose and San Francisco. Entity zones provide enrichment and help to evaluate the risk associated with the event and the entity more effectively to surface true positives.

Finding-based detections create findings when they exceed a certain risk threshold. If the entities, such as IP addresses based in San Jose and San Francisco, get grouped together without the additional context provided by entity zones, their combined risk score can exceed the risk threshold. This creates a higher volume of findings that might not have any real risk associated with them, when evaluated individually. Additional context provided by entity zones helps to reduce the alert volume.

The normalized_risk_object field in Splunk Enterprise Security gets assigned to risk events so that detections can group together the events that correspond to the same asset or identity along with the additional context provided by the entity zones.

Follow these steps to surface high risk findings based on entity zones so that you can investigate threats effectively based on the additional context provided by the entity zones:

  1. In the Analyst queue on the Mission Control page, expand the finding to view the entity zone associated with the finding.
  2. Evaluate the risk associated with the finding if they pertain to the same entity zone.

Additionally, if you make changes to the entity zones or the assets and identity framework, you might cause a change to the entity normalization, which might result in contributing events not being visible on the Risk Event Timeline visualization. This pertains to findings that were created prior to making the changes to the entity zones and assets and identity framework.

Use the drill down search to review findings

Follow these steps to correlate and aggregate the risk associated with entities in Splunk Enterprise Security:

  1. Using the Drill-down search identify the following:
    • All relevant events applied to the entity including risk message, src, dest, user, and risk factors
    • MITRE ATT&CK annotations
    • Related entities associated with the events

    The following is an example of a drill-down search that you can use to identify events, MITRE ATT&CK annotations, entities, and so on:

    | from datamodel:"Risk.All_Risk" | search risk_object="$risk_object$" | table _time, risk_object, risk_object_type, source, annotations.mitre_attack.mitre_tactic_id, annotations.mitre_attack.mitre_technique_id, dest, src, user, risk_message, calculated_risk_score, risk_factor* | rename annotations.mitre_attack.mitre_tactic_id as mitre_tactic_id, annotations.mitre_attack.mitre_technique_id as mitre_technique_id | eval risk_event_type="primary_object" | append [| from datamodel:"Risk.All_Risk" | search risk_object!=" $risk_object$" (dest="$risk_object$" OR src="$risk_object$" OR user="$risk_object$") | table _time, risk_object, risk_object_type, source, annotations.mitre_attack.mitre_tactic_id, annotations.mitre_attack.mitre_technique_id, dest, src, user, risk_message, calculated_risk_score, risk_factor* | rename annotations.mitre_attack.mitre_tactic_id as mitre_tactic_id, annotations.mitre_attack.mitre_technique_id as mitre_technique_id | eval risk_event_type="related_object" ]

    These drill down searches help to investigate the entity associated with a finding in the analyst queue on the '''Mission Control''' page.

View the MITRE ATT&CK posture for a finding

View the MITRE ATT&CK posture within the context of a finding so that you can reduce the mean time to detection (MTTD) and mean time to repair (MTTR) and enhance the situational awareness in your security operations center (SOC).

Follow these steps to view the MITRE ATT&CK posture for a finding in context:

  1. In the Splunk Enterprise Security app, select Mission Control.
  2. Select a finding from the list of findings to open it on the side panel. A list is displayed with the field name "MITRE to see the highlighted MITRE tactics and techniques that were detected for the entity.

    If you select the investigation for the finding, a MITRE matrix chart displays all the tactics and techniques for every event associated with the entity for that finding.

    You can also scroll to Additional fields to see the list of MITRE ATT&CK tactics and techniques for the finding.

See also

For more information on reviewing findings, see the product documentation:

Last modified on 09 October, 2024
Create risk factors to adjust risk scores in Splunk Enterprise Security   Reviewing findings using the risk timeline visualization in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters