Splunk® Enterprise Security

Administer Splunk Enterprise Security

Modifying risk using risk modifiers in Splunk Enterprise Security

Assign risk to event-based detections by configuring risk modifiers. Risk modifiers are events in the risk index of Splunk Enterprise Security that can be used to modify the risk associated with an entity. Risk modifier events contain, at a minimum the following fields: risk score, entity, and entity_type.

You can create risk modifiers by assigning risk scores to entities and entity types for event-based detections in the event-based detection editor. You can also add a risk message when creating a risk modifier in the event-based detection editor to provide context for the analyst during investigations.

For example, a security analyst wants to track users who have downloaded a potentially malicious powershell script from the Internet. This script runs remotely on the host in-memory and indicates a fileless malware attack.

The risk modifier is an event in the risk index that includes the following fields for a user "anna", in addition to information on the powershell script:

  • entity = anna
  • entity_type = user
  • risk_score = 30

However, if "anna" is an administrator user, you can additionally use risk factors based on the field values of the entity to represent the increased risk from a privileged user and automatically increase the score. For example, the detection engineer might raise the risk score of the user "anna" by 30 because she has privileged credentials.

While risk modifiers are important for calculating risk scores and assigning risk scores to entities, risk factors are multipliers of risk and depend on the characteristics of the specific user or asset. Risk factors modify the risk score by increasing or decreasing the score based on field values in the risk index. Thus, risk factors help to create more precise risk scores that are based on real threat.

In this case, the risk modifier includes the following fields for the administrator user "anna" to track powershell activity:

  • entity = anna
  • entity_type = user
  • risk_score = 60

Thus, risk modifiers are key to calculating risk scores and assigning risk scores to entities. Risk factors can add, subtract, or multiply risk depending on the characteristics of the specific user or asset. Using risk factors, you can select conditions to dynamically adjust risk scores and surface more suspicious behavior.

The risk data model accelerates these fields for the Risk analysis dashboard and the Mission Control page.

The following are some examples of situations where you can use risk modifiers to assign or modify the risk associated with an entity:

Example Description
Priority of the asset or identity associated with the event Assign a higher risk score to an asset or identity that has a higher priority score based on the potential risk they represent for the organization. The same type of events from two different systems or users might not need the same level of attention. An event of medium severity event from a desktop machine is less urgent than the same event from an externally facing web-server that processes credit card information. Managing assets and identities in Splunk Enterprise Security allows you to compute urgency based on the priority of systems and users and assign higher urgency to higher priority assets. Priority values can include: Unknown, Low, Medium, High, or Critical.
Category of the asset or identity Assign a higher risk score to an asset or identity that might belong to a suspicious category. Category refers to a logical grouping to organize assets and identities in lookups that are used by detections to identify systems and users that might be malicious or suspicious For example: Contractor, Cardholder, Privileged.
User as Administrator Assign a higher risk score to a user who has privileged access as an administrator.
Each administrator account represents a potential attack surface that an attacker can target. Assigning a higher risk score to an administrator user account helps to monitor the administrator account to limit the overall organizational risk. Membership of these privileged groups of users grows naturally over time as people change roles if the membership is not actively limited and managed.
Entity being on a watchlist Assign a higher risk score to an entity that is on a watchlist because it represents a higher risk. The detection for Watchlisted Event Observed creates findings for specific watch lists. You can setup watchlist tags to generate findings from specific security concerns, such as a missing laptop or suspicious domains. The detection for Watchlisted Event Observed is:

tag=watchlist NOT sourcetype=stash | `get_event_id` | `map_notable_fields`

Time of day Assign a higher risk score to an event for specific times during the day when the potential of suspicious activity is higher. For example, multiple log in attempts during non-business hours.
The location of the event Assign a higher risk score to an event if there is an increased likelihood of a potential cyberattack based on the location of the event.
Other criteria Assign any criteria that you deem relevant to your security environment as a potential risk modifier.

The following table identifies the fields used to configure the risk modifiers:

Risk modifiers Description Value
Risk score Displays the relative risk of an asset or identity such as a device or a user in your network environment over time. Positive or negative integer.
Entity Represents a system, host, device, user, role, credential, or any object that the detection reports on. Text field. You can also enter a wildcard character with an asterisk (*).
Entity type Maps the entity to a specific type. Example: system, user, hash_values, network_artifacts, host_artifacts, tools, other


See also

For more information on risk scoring and risk-based alerting, see the product documentation.

Last modified on 08 October, 2024
Risk scoring in Splunk Enterprise Security   Assign risk using risk modifiers in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters