Review risk-based findings in Splunk Enterprise Security
Findings or finding-groups based on risk are generated when you run a finding-based detection.
Evaluate the risk associated with findings using the following methods:
- Review the fields in a risk-based finding
- Review the findings from the same entity
- Review the findings enriched by entity zones
- Use the drill down search to review findings
- View the MITRE ATT&CK posture for a finding
Review the fields in a risk-based finding
Risk-based findings associate risk scores or other relevant security metadata with a system, user, or other entities. The following fields in risk-based finding or finding groups are important for identifying threat:
Field | Description | Required/Optional? |
---|---|---|
Entity | Any object that represents potential security threats such as an asset, identity, user, or device tracked by Splunk Enterprise Security. | Required |
Entity type | Type identifier for the entity, which can be a system, user, or a custom value. | Required |
Risk score | A number that represents the risk level of a specific entity. Risk events have a default score that you can modify using risk factors. | Required |
Risk event count | The total number of events associated with the finding. | Required |
Risk message | A unique message to describe the risk activity, which can use fields from the event using the $event$ syntax. For example: Suspicious Activity to $domain$
|
Optional |
Threat object | An interaction or behavior associated with the entity. For example: The Domain threat object tracks the behavior of the domain across all entities
|
Optional |
Threat object type | Identifies the type of threat object such as domain , URL , IP address , file hash , command line , or process name .
|
Optional |
The following fields might also exist in the finding and might be useful to identify risk:
Field | Description |
---|---|
drilldown_earliest | The start time used to identify the contributing events for the finding. This value is automatically populated using the info_min_time in the notable framework.
|
drilldown_latest | The end time used to identify the contributing events for the finding. This value is automatically populated using the info_max_time in the notable framework.
|
drilldown_search | The search used to identify the contributing events for the finding. This search must return a calculated_risk_score field. The calculated_risk_score field is common to the risk data model.
|
You can access the field drilldown_search
from the finding-based detection editor for the finding. You can also customize the drilldown_search
field to enter the contributing events that creates a finding and populates the Timeline visualization.
In addition to analyzing the risk-based findings or finding groups, other factors that might help to identify threat include:
- Number of events
- Specific finding-based detection that generate the findings
- Number of events triaged using security orchestration automation and response (SOAR)
- Number of events remediated using Splunk SOAR
Review the findings from the same entity
Surface high risk findings that come from the same entity so that you can investigate connected behaviors and threats.
Entities correspond to assets and identities. However, sometimes the same assets and identities might have different display names. For example, the following three display names represent an email address that belongs to a single user. Each entity has a specific number of contributing events associated with it.
rob
has 5 contributing risk eventsrob@splunk.com
has 4 contributing risk eventsrob@splunk
has 2 contributing risk events
The normalized_risk_object
field in Splunk Enterprise Security gets assigned to events so that the detections can group together the events that correspond to the same asset or identity. Event-based detections create findings when they exceed a certain risk threshold. Events with matching normalized entities are often grouped together by Splunk Enterprise Security and as a result, the risk-based alerting framework sees them as a single entity.
The entity that appears most frequently is the entity that gets displayed to the user for the finding. However, the normalized entity is used to calculate risk scores. Risk score calculation is based on the first element that is listed on the Asset and Identity lookup for that entity. Risk scores are not calculated based on the entity that is displayed most frequently.
In this example, all three entities get displayed as rob
even though they map to the same identity, which is the email address of a user named Rob. Thus, the total risk score of a finding depends on all the contributing events associated with the same normalized entity, which is higher. This increases the likelihood that the risk-based finding creates true positive findings based on behaviors associated with a single entity and helps to detect threats during investigations.
If entities that represent the same asset or identity don't get grouped together, the risk they represent might get overlooked because they do not exceed the risk threshold that creates findings. However, if the entities that represent the same asset or identity get normalized and grouped together, connected behaviors that indicate threat become more visible.
Follow these steps to surface high risk findings that come from the same entity so that you can investigate connected behaviors and threats:
- Configure the
entity_type
field correctly so that Splunk Enterprise Security can normalize the assets and identities and group their events accurately.-
Ensure that the
entity_type
field of the event is asystem
so that Splunk Enterprise Security associates the entity of a user's event with an asset. - Ensure that the
entity_type
field of the event is auser
so that Splunk Enterprise Security associates the entity of a system's event with an identity.
-
Ensure that the
- Navigate to the Search page and search for
index = notable
to view the normalized entity associated with a finding. - Navigate to the Mission Control page and expand the finding to view the most frequent entities from all the contributing events grouped together.
Review the findings enriched by entity zones
Surface high risk findings based on entity zones so that you can investigate threats effectively based on the additional context provided by the entity zones.
Entity zones help distinguish between entities that might be mapped to the same asset and identity by providing context to the events through additional information such as geographic location, source, destination, and so on. For example, you might configure different entity zones for the same username or identity based on different departments within the same organization. Similarly, you might configure different entity zones for the same IP address or asset based on two different locations such as San Jose and San Francisco. Entity zones provide enrichment and help to evaluate the risk associated with the event and the entity more effectively to surface true positives.
Finding-based detections create findings when they exceed a certain risk threshold. If the entities, such as IP addresses based in San Jose and San Francisco, get grouped together without the additional context provided by entity zones, their combined risk score can exceed the risk threshold. This creates a higher volume of findings that might not have any real risk associated with them, when evaluated individually. Additional context provided by entity zones helps to reduce the alert volume.
The normalized_risk_object
field in Splunk Enterprise Security gets assigned to risk events so that detections can group together the events that correspond to the same asset or identity along with the additional context provided by the entity zones.
Follow these steps to surface high risk findings based on entity zones so that you can investigate threats effectively based on the additional context provided by the entity zones:
- In the Analyst queue on the Mission Control page, expand the finding to view the entity zone associated with the finding.
- Evaluate the risk associated with the finding if they pertain to the same entity zone.
Additionally, if you make changes to the entity zones or the assets and identity framework, you might cause a change to the entity normalization, which might result in contributing events not being visible on the Risk Event Timeline visualization. This pertains to findings that were created prior to making the changes to the entity zones and assets and identity framework.
Use the drill down search to review findings
Follow these steps to correlate and aggregate the risk associated with entities in Splunk Enterprise Security:
- Using the Drill-down search identify the following:
- All relevant events applied to the entity including
risk message
,src
,dest
,user
, andrisk factors
- MITRE ATT&CK annotations
- Related entities associated with the events
The following is an example of a drill-down search that you can use to identify events, MITRE ATT&CK annotations, entities, and so on:
| from datamodel:"Risk.All_Risk" | search risk_object="$risk_object$" | table _time, risk_object, risk_object_type, source, annotations.mitre_attack.mitre_tactic_id, annotations.mitre_attack.mitre_technique_id, dest, src, user, risk_message, calculated_risk_score, risk_factor* | rename annotations.mitre_attack.mitre_tactic_id as mitre_tactic_id, annotations.mitre_attack.mitre_technique_id as mitre_technique_id | eval risk_event_type="primary_object" | append [| from datamodel:"Risk.All_Risk" | search risk_object!=" $risk_object$" (dest="$risk_object$" OR src="$risk_object$" OR user="$risk_object$") | table _time, risk_object, risk_object_type, source, annotations.mitre_attack.mitre_tactic_id, annotations.mitre_attack.mitre_technique_id, dest, src, user, risk_message, calculated_risk_score, risk_factor* | rename annotations.mitre_attack.mitre_tactic_id as mitre_tactic_id, annotations.mitre_attack.mitre_technique_id as mitre_technique_id | eval risk_event_type="related_object" ]
These drill down searches help to investigate the entity associated with a finding in the analyst queue on the '''Mission Control''' page.
- All relevant events applied to the entity including
View the MITRE ATT&CK posture for a finding
View the MITRE ATT&CK posture within the context of a finding so that you can reduce the mean time to detection (MTTD) and mean time to repair (MTTR) and enhance the situational awareness in your security operations center (SOC).
Follow these steps to view the MITRE ATT&CK posture for a finding in context:
- In the Splunk Enterprise Security app, select Mission Control.
- Select a finding from the list of findings to open it on the side panel.
A list is displayed with the field name "MITRE to see the highlighted MITRE tactics and techniques that were detected for the entity.
If you select the investigation for the finding, a MITRE matrix chart displays all the tactics and techniques for every event associated with the entity for that finding.
You can also scroll to Additional fields to see the list of MITRE ATT&CK tactics and techniques for the finding.
See also
For more information on reviewing findings, see the product documentation:
Create risk factors to adjust risk scores in Splunk Enterprise Security | Reviewing findings using the risk timeline visualization in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!