Analyze risk with risk-based alerting in Splunk Enterprise Security
Splunk Enterprise Security uses risk-based alerting (RBA) to accelerate and simplify the process of detecting risk in your security environment. The Risk Analysis framework integrates with content management in Splunk Enterprise Security to provide context and enrich raw data.
As a security analyst or threat detection engineer responsible for identifying threats and prioritizing detections in your security environment, you can use detections to generate findings instead of using the Splunk Search Processing Language (SPL) to drill down on high volumes of alerts or raw data. With RBA, you can create high fidelity findings based on risk and increase true positive rates. You can also frame how findings relate to specific assets or identities and develop security stories based on user behaviors to proactively identify threats. This can help you focus on higher impact tasks such as threat hunting and adversary simulation instead of manually triaging findings. Use RBA to identify the most difficult-to-detect security use cases such as the following:
- Insider threats
- Compromised user accounts
- Compromised systems
- Recurring infections
- Suspicious use of credentials
- Lateral movement
- Living off-the-land cyber-attacks
How risk-based alerting works in Splunk Enterprise Security
With risk-based alerting (RBA), analysts receive findings from detections, which surface from multiple intermediate findings. Risk-based alerting uses the existing Splunk Enterprise Security detection framework to collect all intermediate findings into a single risk index. Events collected in the risk index create a single finding when they meet a specific criteria, which warrants an investigation.
For example, suppose a single system creates five intermediate findings from several detections. Each of these intermediate findings have a low risk score. However, when taken together these intermediate findings surpass the risk score threshold, pertain to specific MITRE ATT&CK techniques, and are associated with unique data sources over multiple time frames. Risk-based alerting can pick up on this threat even when the system generates only a single finding because it performs correlated alerting that tells a high-fidelity security story, which analysts can investigate.
Similarly, RBA helps detect complex behavior over a period of time instead of a point in time. For example, an impatient hacker might try various techniques to attack a single server over a period of time. Risk-based alerting uses a variety of alerting criteria over a varying duration of time to provide insight into your environment, which helps to tune detections to your environment in addition to threat hunting.
Therefore, you can review the following alerts, which use different factors and time duration to detect threat:
Alert | Description |
---|---|
Score threshold 100 exceeded over 24 hours | This alert uses combined scores of events to trigger an alert. |
Events from multiple sourcetypes over 3 days | This alert uses three unique data sources that generate events from a single machine. |
Multiple MITRE ATT&CK tactics observed over 7 days | This alert uses observations tagged with MITRE ATT&CK tactics and techniques. |
The following steps illustrate how RBA works in Splunk Enterprise Security.
Step 1: Detections identify anomalies and assign risk scores to events
A detection runs against raw events and indicates potentially malicious activity. A detection contains the following three components:
- Search logic using the Search Processing Language (SPL)
- Risk annotations
- Risk analysis adaptive response action for generating intermediate findings
All intermediate findings are written to the risk index. The following list includes examples of detections:
- Traffic to Non-standard Port
- Threat Intel Match
- Suspicious Logon Type
The detections identify anomalies and log search results or intermediate findings to the risk index. Splunk Enterprise Security uses the Risk Framework to dynamically calculate a risk score for each event using risk modifiers. Splunk Enterprise Security also associates the event with specific assets and identities such as users or systems.
Step 2: Detections review the events in the risk index and use an aggregation of events impacting a single entity to generate findings
Detections review the risk index for anomalous events and threat activities. When the detections find an entity associated with several intermediate findings, the detections create findings in Splunk Enterprise Security. When the risk scores associated with the findings surpass a specified threshold over a period of time, analysts focus their efforts on connected behaviors associated with the finding. The aggregated risk score of an asset or identity is the sum of all the risk scores for intermediate findings in the risk index that apply to the specific asset or identity over a period of time.
For example, a finding might be created when the detection identifies a single machine that generated 5 intermediate findings. These events can be combined to cross a threshold of the following factors:
- Risk score
- MITRE ATT&CK techniques
- Unique data sources over various time frames
Step 3: Risk factors trigger intermediate findings in the risk index
Analysts can also define risk factors that add or multiply risk scores associated with assets and identities such as users or systems when suspicious behavior occurs. For example, an analyst might want to multiply risk scores by 1.5 for a privileged user, who is also an administrator. Instead of triggering a finding that populates the Mission Control page, risk factors trigger an intermediate finding in the risk index.
Step 4: Context rich findings help to triage and neutralize threat
Analysts can also add relevant context to risk attributions by mapping them against a relevant cybersecurity framework or applying a risk score to the finding. You can associate findings with conditions such as MITRE ATT&CK tactics or techniques. MITRE ATT&CK tactics are categories of activities such as privilege escalation or command and control, while MITRE ATT&CK techniques are specific activities such as kerberoasting or protocol tunneling. Using Splunk Security Essentials or Splunk Enterprise Security content updates, you can identify the techniques covered by your data sources and build a breadth of detections across every tactic. Splunk Enterprise Security also supports NIST, CIS, Critical Security Controls, and the Lockheed Martin Cyber Kill Chain frameworks. When a risk score or behavioral pattern of an asset or identity meets a predetermined threshold, it triggers a finding or alert, which provides analysts with valuable context at the onset of their investigation process and expedites the neutralization of threats.
Advantages of using risk-based alerting in Splunk Enterprise Security
Using RBA to analyze risk in your security environment offers the following advantages:
Advantage | Description |
---|---|
Address threats and identify security gaps with leading cybersecurity frameworks | Apply insights from cybersecurity frameworks such as MITRE ATT&CK, CIS 20, and NIST Controls to create visualizations that highlight the tactics and techniques observed in intermediate findings. You can use these visualizations to quickly build situational awareness around a given user or system in the context of the ATT&CK matrix and view the associated documentation on a given technique. With this additional context, you can proactively detect threats such as adversary simulation. With your preferred framework, you can also quantify security gaps and identify the MITRE tactics covered to plan your response without using SPL. |
Identify relationships between threat actors using visualizations | Visualizations such as Threat Topology and Risk Event Timeline allow analysts to quickly visualize relationships between malicious threat actors and their users and systems when working with findings. Analysts can discover the scope of a security incident immediately and quickly pivot between affected assets and identities in the investigation. |
Detect complex threats by expanding security coverage | Surface attacks by building a comprehensive collection of attributes. You can build investigations that span over longer periods of time and prevent malicious tactics that infiltrate the SOC through low-level attacks. For example, you can configure alerts when an entity's behavior spans three or more MITRE ATT&CK tactics over a two-week period, expanding your security coverage. |
Streamline investigations and remediation | Reduce the triage time for security incidents by providing context to the investigative process and reducing alert volume, which helps analysts focus on other high-value activities within the SOC. |
Detect fraud using RBA in the Splunk App for Fraud Analytics
You can also use the Splunk App for Fraud Analytics to detect fraud. This app uses the RBA framework to provide high fidelity and actionable fraud alerts for account takeovers and new account fraud. You can also use this app to get started with RBA using some default searches and dashboards even if you do not have prior knowledge of SPL.
Download and install the Splunk App for Fraud Analytics in your Splunk Platform environment from Splunkbase. For more information on the app, see Splunk App for Fraud Analytics User Guide.
Additionally, you can contact your Splunk Sales representative to deploy this app along with your existing Splunk Enterprise Security deployment. With this app, you can display fraud related alerts and drill down on fraud analysis dashboards in Splunk Enterprise Security.
You do not need to download the app to use RBA in Splunk Enterprise Security.
See also
For more details on risk-based alerting in Splunk Enterprise Security, see the product documentation:
- Risk scoring in Splunk Enterprise Security
- Modifying risk using risk modifiers in Splunk Enterprise Security
- Assign risk using risk modifiers in Splunk Enterprise Security
- Review risk-based findings in Splunk Enterprise Security
- Create risk factors to adjust risk scores in Splunk Enterprise Security
Automate your investigation response with actions and playbooks in Splunk Enterprise Security | Investigate observables related to an investigation in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0
Feedback submitted, thanks!