Risk scoring in Splunk Enterprise Security
A risk score is the single metric that shows the relative risk of an entity over time. An entity refers to any asset, identity, user, or device in your security environment that can be used by Splunk Enterprise Security to identify potential security threats. As an administrator in Splunk Enterprise Security, you can categorize entities and assign them a risk score. Splunk Enterprise Security labels a device such as a laptop's hostname as a system
, a username as a user
, and unrecognized devices or users as other
.
Detections in Splunk enterprise Security help to correlate machine data with known threats. Risk-based alerting (RBA) applies this machine data from entities to findings at search time to enrich the search results. Splunk Enterprise Security indexes all risks as events in the risk
index. Detections search for a conditional match to a question. When the detection finds a match, it generates a finding associated with an entity and this finding might indicate a threat.
As an administrator, you can edit detections to modify the risk score that the detection assigns to an entity. Initially, Splunk Enterprise Security might score some of the risk-based findings higher. However, you can customize your detections and score your risk findings and investigations appropriately. You can assign risk scores based on both the impact and the confidence of a finding. For example: If a detection such as "Any PowerShell DownloadString" has an impact score of 80 and a confidence score of 70, you can assign it a risk score of 56. Over time, as you run the detection, you might discover that some of the findings indicate expected behavior in your security environment. In such cases, you can apply less risk to those findings instead of lowering the overall risk score.
Default detections in Splunk Enterprise Security might have confidence and impact pre-defined. However, these values were assigned by the Splunk Threat Research team and are customizable based on your specific requirements.
Additionally, you can also use risk scores as an input type for finding-based detections to display high confidence finding groups based on risk so that you can reduce alert volume and focus only on findings that might represent a security threat.
As part of the investigative workflow, you must assign, review, or close these risk-based findings and investigations.
Display of risk scores in Splunk Enterprise Security
Use one of the following methods to view risk scores in Splunk Enterprise Security:
- In Splunk Enterprise Security, select Mission Control and review the analyst queue. The risk scores associated with findings and investigations are displayed in a separate column on the Analyst queue.
- In Splunk Enterprise Security, go to Analytics and select Dashboards. Then, select the Risk analysis dashboard to view Risk scores by entity and Risk scores by annotations. You can also use the Risk analysis dashboard to drill down and investigate risk findings using the Timeline visualization.
Colors are used to distinguish between the levels of risk. A yellow badge represents a risk score of 0-25, orange represents 25-50, light red represents 50-75, and dark red represents a risk score above 75.
Not every asset or identity appears with a risk scores in the analyst queue. Only assets or identities that have a risk score and a entity type of "system," "user," or "other" are displayed. Risk scores are displayed for the following fields: orig_host
, dvc
, src
, dest
, src_user
, and user
.
The risk score for an asset or identity might not match the score on the Risk Analysis dashboard. The risk score is a cumulative score for an asset or identity over a period of time such as 7 days, rather than a score specific to an exact username. The following list includes some examples:
- If a person with a username of "buttercup" has a risk score of 40, and an email address of "buttercup@splunk.com" with a risk score of 60, and the identity lookup identifies that "buttercup" and "buttercup@splunk.com" belong to the same person, a risk score of 100 displays on the Mission Control page for both "buttercup" and "buttercup@splunk.com" accounts.
- If an IP address of 10.11.36.1 has a risk score of 80 and an IP address of 10.11.36.19 has a risk score of 30, and the asset lookup identifies that a range of IPs "10.11.36.1 - 10.11.36.19" belong to the same asset, a risk score of 110 displays on the Mission Control page for both "10.11.36.1" and "10.11.36.19" IP addresses.
Risk scores are calculated for the Analyst queue on the Mission Control page using the Threat - Risk Correlation By <type> - Lookup Gen lookup generation searches. The searches run every 30 minutes and focus on the last 7 days of events to update the risk_correlation_lookup
lookup file. To see more frequent updates to the risk scores on the analyst queue in the Mission Control page, update the cron_schedule
of the saved searches.
Risk score levels use the same naming convention as event severity. You can assess relative risk scores by comparing hosts with similar roles and asset priority. The following list includes the risk score levels with the associated scores:
- 20 - Info
- 40 - Low
- 60 - Medium
- 80 - High
- 100 - Critical
How entities impact risk scores in Splunk Enterprise Security
An entity refers to any asset, identity, user, or device in your security environment that can be used by Splunk Enterprise Security to identify potential security threats. As an administrator, you can create entities to categorize anything to which you assign a risk score. For example, you might categorize a laptop as a system
entity type and an identity as a user
entity type.
When an entity generates an event that is a potential threat, the risk modifier associated with the entity increases the risk score of the entity. When a detection finds an entity associated with several events and a high risk score, the detection creates risk-based findings in Splunk Enterprise Security.
A finding includes the following key fields: entity
, entity_type
, and risk_score
.
Entity types
If an entity matches an object in the asset or identity table, Splunk Enterprise Security maps the object as the associated type. For example, an object that matches an asset in the asset lookup maps to the system
entity type. However, devices and users do not appear in the corresponding asset and identity tables to identify as system or user entities. Splunk Enterprise Security categorizes undefined or experimental object types with an entity type of Other.
Splunk Enterprise Security defines the following entity types.
Entity type | Description |
---|---|
System | Represents a network device or a technology in the asset lookup. |
User | Represents an identity such as a network user, credential, or role in the identity lookup. |
Hash values | Represents a numeric value of a fixed length that uniquely identifies large amounts of data and is used with digital signatures. |
Network artifacts | Represents significant clues about any unauthorized access by unauthorized entities in a network. |
Host artifacts | Represents events caused by adversary activities on one or more hosts, such as registry keys or values known to be created by specific pieces of malware, files, or directories. |
Tools | Represents software used by attackers to accomplish their mission. |
Other | Represents any undefined object in a data source field. |
Example: Reset a risk score for an entity
You can reset a risk score for an entity but with certain limitations.
Consider a scenario where a detection generates many findings for an infected system, which leads to a high risk score. Despite re-imaging, the system still has the same IP address or host name. This requires you to reset the risk score to zero as if it's a new system.
If the host is 192.0.2.2 with a 480.0 risk score, you only have the following options to change the risk score to zero because risk scores contain a time component:
- Change the time range picker from the default, which changes the risk score. You might see no results for this host if you change the time range to Last 15 minutes. The score is zero if no events get created in that time frame. This does not reset the score, but helps you verify the new risk score, if you know the time frame of when you re-imaged the system.
- Manually create a risk entry with a risk score of -480. However, this is dependent on the time frame. This also does not reset the score. If your manually created risk entry is outside the time window of the event, then the negative offset does not apply, and the object has a score of -480.
See also
For more information on assigning and modifying risk, see the product documentation:
Investigate findings using drilldown searches and dashboards in Splunk Enterprise Security | Modifying risk using risk modifiers in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0
Feedback submitted, thanks!