Modifying risk using risk modifiers in Splunk Enterprise Security
Assign risk to event-based detections by configuring risk modifiers. Risk modifiers are events in the risk index of Splunk Enterprise Security that can be used to modify the risk associated with an entity. Risk modifier events contain, at a minimum the following fields: risk score
, entity
, and entity_type
.
You can create risk modifiers by assigning risk scores to entities and entity types for event-based detections in the event-based detection editor. You can also add a risk message when creating a risk modifier in the event-based detection editor to provide context for the analyst during investigations.
For example, a security analyst wants to track users who have downloaded a potentially malicious powershell script from the Internet. This script runs remotely on the host in-memory and indicates a fileless malware attack.
The risk modifier is an event in the risk index that includes the following fields for a user "anna", in addition to information on the powershell script:
entity = anna
entity_type = user
risk_score = 30
However, if "anna" is an administrator user, you can additionally use risk factors based on the field values of the entity to represent the increased risk from a privileged user and automatically increase the score. For example, the detection engineer might raise the risk score of the user "anna" by 30 because she has privileged credentials.
While risk modifiers are important for calculating risk scores and assigning risk scores to entities, risk factors are multipliers of risk and depend on the characteristics of the specific user or asset. Risk factors modify the risk score by increasing or decreasing the score based on field values in the risk index. Thus, risk factors help to create more precise risk scores that are based on real threat.
In this case, the risk modifier includes the following fields for the administrator user "anna" to track powershell activity:
entity = anna
entity_type = user
risk_score = 60
Thus, risk modifiers are key to calculating risk scores and assigning risk scores to entities. Risk factors can add, subtract, or multiply risk depending on the characteristics of the specific user or asset. Using risk factors, you can select conditions to dynamically adjust risk scores and surface more suspicious behavior.
The risk data model accelerates these fields for the Risk analysis dashboard and the Mission Control page.
The following are some examples of situations where you can use risk modifiers to assign or modify the risk associated with an entity:
Example | Description |
---|---|
Priority of the asset or identity associated with the event | Assign a higher risk score to an asset or identity that has a higher priority score based on the potential risk they represent for the organization. The same type of events from two different systems or users might not need the same level of attention. An event of medium severity event from a desktop machine is less urgent than the same event from an externally facing web-server that processes credit card information. Managing assets and identities in Splunk Enterprise Security allows you to compute urgency based on the priority of systems and users and assign higher urgency to higher priority assets. Priority values can include: Unknown, Low, Medium, High, or Critical. |
Category of the asset or identity | Assign a higher risk score to an asset or identity that might belong to a suspicious category. Category refers to a logical grouping to organize assets and identities in lookups that are used by detections to identify systems and users that might be malicious or suspicious For example: Contractor, Cardholder, Privileged. |
User as Administrator | Assign a higher risk score to a user who has privileged access as an administrator. Each administrator account represents a potential attack surface that an attacker can target. Assigning a higher risk score to an administrator user account helps to monitor the administrator account to limit the overall organizational risk. Membership of these privileged groups of users grows naturally over time as people change roles if the membership is not actively limited and managed. |
Entity being on a watchlist | Assign a higher risk score to an entity that is on a watchlist because it represents a higher risk. The detection for Watchlisted Event Observed creates findings for specific watch lists. You can setup watchlist tags to generate findings from specific security concerns, such as a missing laptop or suspicious domains. The detection for Watchlisted Event Observed is:
|
Time of day | Assign a higher risk score to an event for specific times during the day when the potential of suspicious activity is higher. For example, multiple log in attempts during non-business hours. |
The location of the event | Assign a higher risk score to an event if there is an increased likelihood of a potential cyberattack based on the location of the event. |
Other criteria | Assign any criteria that you deem relevant to your security environment as a potential risk modifier. |
The following table identifies the fields used to configure the risk modifiers:
Risk modifiers | Description | Value |
---|---|---|
Risk score | Displays the relative risk of an asset or identity such as a device or a user in your network environment over time. | Positive or negative integer. |
Entity | Represents a system, host, device, user, role, credential, or any object that the detection reports on. | Text field. You can also enter a wildcard character with an asterisk (*). |
Entity type | Maps the entity to a specific type. | Example: system , user , hash_values , network_artifacts , host_artifacts , tools , other
|
See also
For more information on risk scoring and risk-based alerting, see the product documentation.
- Risk scoring in Splunk Enterprise Security
- Assign risk using risk modifiers in Splunk Enterprise Security
- Risk analysis dashboard in the Use Splunk Enterprise Security manual.
Risk scoring in Splunk Enterprise Security | Assign risk using risk modifiers in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!