Create risk factors to adjust risk scores in Splunk Enterprise Security
Create risk factors to adjust risk scores for entities so that you can effectively isolate threats by mapping out the risk in the environment. Additionally, proactively managing risk factors helps to track evolving security threats
Create a new risk factor in Splunk Enterprise Security
Create new risk factors to modify risk scores using basic and advanced conditions.
Prerequisites
- Preview the risk events that match your conditions prior to saving risk factors.
- Have the
edit_risk_factor
capability to create or make changes to the risk factors using the UI. - Identify the fields that you want to include in the risk factor by checking the events in the risk index or verifying matching events in the Risk factor editor.
Create risk factor
Follow these steps to create a new risk factor using the Risk factor editor:
- In the Splunk Enterprise Security app, select Security content, and then select Risk factors.
This opens the Risk factor editor. - Select Add risk factor.
- Add the following information to create the new risk factor.
- In the Name field, enter the name of the new risk factor.
- In the Description field, provide a description for the new risk factor.
- In the Operation list, select one of the following options to modify the original risk score: Addition or Multiplication.
Addition factors are always applied before the multiplication factors. - In the Conditions panel, select the criteria for which you want to base the value of your risk factor. For example, if the event field
Owner
contained the phrase "admin", you can add 10 to the risk score.
Set conditions to dynamically generate a value for the risk factor and identify the associated threat. If the risk factor meets the conditions specified, the threat level for the entity is proportionally increased or decreased. To set simple conditions, see Set basic conditions to assign risk scores.
To set advanced conditions such as using a wildcard search, see Set advanced conditions to assign risk scores. - In the Factor field, assign a numerical value for the risk factor.
The number that you enter in the Factor field is not an arbitrary value and depends on the conditions that you select in the Conditions panel in the next step.
- Select Save to save your changes.
You have the option to create a risk factor and then turn it off by dragging the Turn on button. To turn on a risk factor for your deployment, you can drag the Turn on button.
Set basic conditions to assign risk scores
Follow these steps to set conditions based on the event field and value and assign an appropriate score to the entity:
- In the Conditions panel of the risk factor editor, select the Basic tab.
- In the Risk event field, enter a value for the event field to which you want to assign a risk factor.
- In the Risk event value field, enter a value against which you want to compare the event field. The value can be a static value or the name of another field.
- Select Save.
Set advanced conditions to assign risk scores
You can create more targeted risk factors by adding multiple conditions. You can configure multiple conditions when creating risk factors by selecting the + icon in the Risk factor editor. To remove conditions, select the Remove button for the specific risk factor in the Risk factor editor.
When you add multiple conditions to a risk factor, they are aggregated using the AND logical operator.
For example: If you define a risk factor with the following conditions:
Condition #1:
Risk event field = user_category
Comparator = is equal to
Value = privileged
Condition #2:
Risk event field = user_category
Comparator = is equal to
Value = admin
You can use the SPL preview to view how the conditions get applied to create the risk factor:
If ("user_category" = "privileged" AND "user_category" = "admin", 20.0)
Use the following steps to configure conditions for risk factors:
- In the Conditions pane of the risk factor editor, select the Advanced tab.
- In the Risk event field, enter a value for the event field to which you want to assign a risk factor. For example:
user_category
orasset_category
.
- From the Comparator drop-down list, select the comparison parameter to indicate the relationship between the risk event field and value.
The following list indicates the possible options for comparator values:
- is equal to
- is not equal to
- matches regular expression
- like
- is greater than or equal
- is less than or equal
- is greater than
- is less than
- Toggle the Compare against field button to select or deselect the option of comparing the event field against a value.
Turning on the Compare against field option lets you use the Value field as a field name instead of a static string. - In the Value field, enter the value against which you want to compare the event field. The value can be a static value or the name of another field.
You must enter a numerical value for the Value field if you are using any of the following comparators from the drop-down menu: is greater than or equal, is less than or equal, is greater than, is less than. - Select Save.
- To set multiple conditions and create more targeted risk factors, select the + icon.
- To remove a condition, select the Remove button.
Verify the risk factor conditions
Follow these steps to review the risk factor conditions:
- In the Risk factor editor, use the preview option in the center pane to verify how the conditions and comparators apply to a risk factor.
- Access the Conditions pane of the Risk factor editor and select the Advanced tab to learn how the "like" comparator applies to the risk factors.
- Enter a value for the Risk event field, select "like" from the Comparator drop-down menu, and then enter the value for the risk factor in the Value field.
- Review how the search appears in the Preview field. For example:
if(like('risk_object',"bennay"), 0.0)
- Check the Risk factor editor to identify how many events match the conditions you added to the risk factor.
- Use search to verify if the risk factor displays the events to which you want to apply the risk factor.
Write conditions against asset and identity fields
If you write conditions against asset and identity fields for risk events, turn on the detection by sourcetype and add the sourcetype name of stash. Alternatively, you can turn on the detection for all sourcetypes. For example, if you write a condition for an asset with src_bunit=emea, the src_bunit field is an asset field that is automatically provided if the detection and the lookup are turned on.
Example 1
If you have a risk modifier defined as follows:
Risk entity | Value |
---|---|
risk_score | 120 |
risk_object | alice |
risk_object_type | user |
risk_object_priority | critical |
For example, if you define the risk factor to add the risk by 50 when the priority of the entity is critical, then the effective risk score for this risk modifier is 120 + 50 = 170.
Example 2
In this example, you configure a risk factor called "Critical Severity Alert" for a source, if a security threat is flagged in your AWS environment by AWS Security HUB or AWS GuardDuty, which is considered to be of critical severity. The risk factor search appears as follows:
if(match('source',"Threat - Amazon GuardDuty and AWS Security Hub.*- Risk Gen - Rule") AND 'severity'="critical",2.5,1)
Then, using the Risk Factor Editor, you can specify a condition to multiply the risk associated with this source by a factor of 2.5.
Similarly, if a user is a watchlisted user and the asset is of critical priority, you can configure a risk factor that multiplies the risk on the asset and the user by a factor of 1.2.
Manage risk factors in Splunk Enterprise Security
You can use the Risk factor editor in Splunk Enterprise Security for the following actions:
- Identify existing list of risk factors in your deployment by viewing the list displayed on the Risk factor editor.
- Search for specific risk factors by entering the name in the search bar on the left pane of the editor.
- Sort risk factors based on the name, the expression group, or the score of the risk factor. From the Sort by menu in the editor, select Name, Operation, or Value to display the sorted list of the risk factors.
- Display inactive risk factors by toggling the Show deactivated button. This displays the list of deactivated risk factors.
- Turn on risk factors by toggling the Activate button for the specific risk factor. Alternatively, you can turn on any of the risk factors by dragging the Turn on button for the specific risk factor. You can activate risk factors based on your requirements and evolving security threats over time.
- Delete risk factors by selecting the Delete button from the menu associated with the specific risk factor.
- Clone risk factors by selecting the Clone button from the menu associated with the specific risk factor.
- View matching risk events based on specified conditions or risk factors that are similar to the one you are editing in the right panel of the risk factor editor.
See also
For more information on assigning and modifying risk, see the product documentation:
Adjusting risk using risk factors in Splunk Enterprise Security | Review risk-based findings in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0
Feedback submitted, thanks!