Adjusting risk using risk factors in Splunk Enterprise Security
While risk modifiers are important for calculating risk scores and assigning risk scores to entities, risk factors are adjusters of risk and depend on the characteristics of the specific user or asset. Risk factors modify the risk score by increasing or decreasing the score based on field values in the risk index. Thus, risk factors help to create more precise risk scores that are based on real threat.
How risk factoring works
Risk factors are a set of rules or tuning factors on the basis of which risk scores can be calculated for an entity. You can select conditions to dynamically adjust risk scores and surface more suspicious behavior.
Splunk Enterprise Security calculates the total risk score dynamically using the risk data model instead of relying only on the risk index. The following table describes the different risk scores in Splunk Enterprise Security:
| Risk score type | Description |
|---|---|
| Base risk score | Numerical value based on the detection event. Risk factors assign a calculated risk score based on the conditions specified in the metadata for the entities such as priority, category, user, asset, and so on. |
| Total risk score | Numerical value based on the sum of all calculated risk scores for an entity within a specific time frame. |
Risk factors are usually based on asset or identity information but might also be configured on fields such as Action, Priority, Category, and so on. You must verify the completeness of your assets and identity data in Splunk Enterprise Security to evaluate the data in your security environment based on individual criticality and prioritize key data elements so that you can configure effective risk factors that detect threats.
Risk factors help to adjust the risk scores without creating new searches. For example, you can simply increase the risk score using the risk factor editor by a factor of two on a laptop that belongs to a director instead of an employee rather than create a new search to flag such risk events.
The risk_factors.conf configuration file saves all the values that you enter through the Risk factor editor by default.
How risk factor scoring is calculated
When you create risk factors, check the formula to understand how to calculate the risk factors so that they work as expected and do not inflate the risk scores.
(risk_base_score + sum (expression_group_addition) ) * product (expression_group_multiplication)
For example, if you have 4 matching risk factors for a detection with a base score of 5, and 2 of the risk factors multiply the risk by 2. Another risk factor adds 5 and another risk factor adds 6.
| Base score | Operation |
|---|---|
| 5 | Multiply by 2 |
| 5 | Multiply by 2 |
| 5 | Add by 5 |
| 5 | Add by 6 |
Then, the risk framework calculates the risk factor as follows:
(<base-score> + 5 + 6) = 16;
16x 2 x 2 = 64.
In this example, your risk score is 64.
Additional factors are always applied before the multiplication factors based on the order of operations.
Default risk factors in Splunk Enterprise Security
Use default risk factors designed for specific conditions to dynamically assign risk scores to entities and effectively isolate threats using Splunk Enterprise Security. Splunk Enterprise Security provides seven risk factors by default, which you can customize based on your specific environment. You can also use these default risk factors as examples for guidance and create your own risk factors based on your environment.
All risk factors available in Splunk Enterprise Security are displayed on the risk factor editor, but are turned off.
The following is the list of risk factors that are available in the app by default:
| Risk factor | Description |
|---|---|
| Admin user | Increases the risk score of a user who has a privileged or administrative identity. So, if the user_category field matches the regex value of "admin", the risk factor is multiplied by 1.5.
|
| Contractor user | Increases the risk score for a user who is a contractor. So, if the user_category field value is "contractor", the risk score is increased by a sum of 5.
|
| Critical priority destination | Increases the risk score for critical destinations. So, if the dest_priority field value is "critical", the risk factor is multiplied by 1.5.
|
| High priority user | Increases the risk score for high priority users. So, if the user_priority field value is "high", the risk factor is multiplied by 1.25.
|
| PCI source | Increases the risk for sources that are related to PCI compliance. |
| Watchlisted priority user | Increases the risk score for users on a watch list when the user is not on a priority list. So, if the user_watchlist field is equal to "true" and the user_priority is not equal to "low", the risk factor is multiplied by 1.5. For more information on watchlists, see the Splunk Blogs post Using watchlists to your advantage. |
| Watchlisted user | Increases the risk score for users on a watch list by a multiple of 1.5. So, if the user_watchlist is "true", the risk factor is multiplied by 1.5.For more information on watchlists, see the Splunk Blogs post Using watchlists to your advantage. |
See also
For more information on assigning risk and risk modifiers, see the product documentation:
| Assign risk using risk modifiers in Splunk Enterprise Security | Create risk factors to adjust risk scores in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0
Download manual
Feedback submitted, thanks!