Analyze risk with risk-based alerting in Splunk Enterprise Security

Splunk Enterprise Security uses risk-based alerting (RBA) to accelerate and simplify the process of detecting risk in your security environment. The Risk Analysis framework integrates with content management in Splunk Enterprise Security to provide context and enrich raw data.

As a security analyst or threat detection engineer responsible for identifying threats and prioritizing detections in your security environment, you can use detections to generate findings instead of using the Splunk Search Processing Language (SPL) to drill down on high volumes of alerts or raw data. With RBA, you can create high fidelity findings based on risk and increase true positive rates. You can also frame how findings relate to specific assets or identities and develop security stories based on user behaviors to proactively identify threats. This can help you focus on higher impact tasks such as threat hunting and adversary simulation instead of manually triaging findings. Use RBA to identify the most difficult-to-detect security use cases such as the following:

• Insider threats
• Compromised user accounts
• Compromised systems
• Recurring infections
• Suspicious use of credentials
• Lateral movement
• Living off-the-land cyber-attacks

How risk-based alerting works in Splunk Enterprise Security

With risk-based alerting (RBA), analysts receive findings from detections, which surface from multiple intermediate findings. Risk-based alerting uses the existing Splunk Enterprise Security detection framework to collect all intermediate findings into a single risk index. Events collected in the risk index create a single finding when they meet a specific criteria, which warrants an investigation.

For example, suppose a single system creates five intermediate findings from several detections. Each of these intermediate findings have a low risk score. However, when taken together these intermediate findings surpass the risk score threshold, pertain to specific MITRE ATT&CK techniques, and are associated with unique data sources over multiple time frames. Risk-based alerting can pick up on this threat even when the system generates only a single finding because it performs correlated alerting that tells a high-fidelity security story, which analysts can investigate.

Similarly, RBA helps detect complex behavior over a period of time instead of a point in time. For example, an impatient hacker might try various techniques to attack a single server over a period of time. Risk-based alerting uses a variety of alerting criteria over a varying duration of time to provide insight into your environment, which helps to tune detections to your environment in addition to threat hunting.

Therefore, you can review the following alerts, which use different factors and time duration to detect threat:

The following steps illustrate how RBA works in Splunk Enterprise Security.

Step 1: Detections identify anomalies and assign risk scores to events

A detection runs against raw events and indicates potentially malicious activity. A detection contains the following three components:

• Search logic using the Search Processing Language (SPL)
• Risk annotations
• Risk analysis adaptive response action for generating intermediate findings

All intermediate findings are written to the risk index. The following list includes examples of detections:

• Traffic to Non-standard Port
• Threat Intel Match
• Suspicious Logon Type

The detections identify anomalies and log search results or intermediate findings to the risk index. Splunk Enterprise Security uses the Risk Framework to dynamically calculate a risk score for each event using risk modifiers. Splunk Enterprise Security also associates the event with specific assets and identities such as users or systems.

Step 2: Detections review the events in the risk index and use an aggregation of events impacting a single entity to generate findings

Detections review the risk index for anomalous events and threat activities. When the detections find an entity associated with several intermediate findings, the detections create findings in Splunk Enterprise Security. When the risk scores associated with the findings surpass a specified threshold over a period of time, analysts focus their efforts on connected behaviors associated with the finding. The aggregated risk score of an asset or identity is the sum of all the risk scores for intermediate findings in the risk index that apply to the specific asset or identity over a period of time.

For example, a finding might be created when the detection identifies a single machine that generated 5 intermediate findings. These events can be combined to cross a threshold of the following factors:

• Risk score
• MITRE ATT&CK techniques
• Unique data sources over various time frames

Step 3: Risk factors trigger intermediate findings in the risk index

Analysts can also define risk factors that add or multiply risk scores associated with assets and identities such as users or systems when suspicious behavior occurs. For example, an analyst might want to multiply risk scores by 1.5 for a privileged user, who is also an administrator. Instead of triggering a finding that populates the Mission Control page, risk factors trigger an intermediate finding in the risk index.

Step 4: Context rich findings help to triage and neutralize threat

Analysts can also add relevant context to risk attributions by mapping them against a relevant cybersecurity framework or applying a risk score to the finding. You can associate findings with conditions such as MITRE ATT&CK tactics or techniques. MITRE ATT&CK tactics are categories of activities such as privilege escalation or command and control, while MITRE ATT&CK techniques are specific activities such as kerberoasting or protocol tunneling. Using Splunk Security Essentials or Splunk Enterprise Security content updates, you can identify the techniques covered by your data sources and build a breadth of detections across every tactic. Splunk Enterprise Security also supports NIST, CIS, Critical Security Controls, and the Lockheed Martin Cyber Kill Chain frameworks. When a risk score or behavioral pattern of an asset or identity meets a predetermined threshold, it triggers a finding or alert, which provides analysts with valuable context at the onset of their investigation process and expedites the neutralization of threats.

Advantages of using risk-based alerting in Splunk Enterprise Security

Using RBA to analyze risk in your security environment offers the following advantages:

Detect fraud using RBA in the Splunk App for Fraud Analytics

You can also use the Splunk App for Fraud Analytics to detect fraud. This app uses the RBA framework to provide high fidelity and actionable fraud alerts for account takeovers and new account fraud. You can also use this app to get started with RBA using some default searches and dashboards even if you do not have prior knowledge of SPL.

Download and install the Splunk App for Fraud Analytics in your Splunk Platform environment from Splunkbase. For more information on the app, see Splunk App for Fraud Analytics User Guide.

Additionally, you can contact your Splunk Sales representative to deploy this app along with your existing Splunk Enterprise Security deployment. With this app, you can display fraud related alerts and drill down on fraud analysis dashboards in Splunk Enterprise Security.

You do not need to download the app to use RBA in Splunk Enterprise Security.

See also

For more details on risk-based alerting in Splunk Enterprise Security, see the product documentation:

• Risk scoring in Splunk Enterprise Security
• Modifying risk using risk modifiers in Splunk Enterprise Security
• Assign risk using risk modifiers in Splunk Enterprise Security
• Review risk-based findings in Splunk Enterprise Security
• Create risk factors to adjust risk scores in Splunk Enterprise Security