Splunk® Security Analytics for AWS

User Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Manage risk in

Manage risk by identifying actions that raise the danger profile of individuals or assets. These individuals or assets can be assigned a risk score. A risk score is a single metric that shows the relative risk of a device or user in the network environment over time.

Create and edit risk objects

You can create and edit risk objects to categorize a group of things that you want to assign a risk score. For example, you might categorize laptops as a "system" risk object type and a people as a "user" risk object type.

  1. From the menu bar, select Configure > Content > Content Management.
  2. See Create risk and edit risk objects in Splunk Enterprise Security in Administer Splunk Enterprise Security.

Manage risk factors

You can manage risk factors to adjust risk scores for risk objects so that you can isolate threats by mapping out the risk in the environment. For example, you can modify the calculated score for AWS GuardDuty and Security Hub alert risk events.

The following risk factors are enabled by default:

  • The Critical Severity Alert risk factor increases the risk when the alert is critical severity.
  • The High Severity Alert risk factor increases the risk when the alert is high severity.
  • The Medium Severity Alert risk factor does not increase or decrease the risk when the alert is medium severity.
  • The Informational Severity Alert risk factor decreases the risk when the alert is informational severity.
  • The Low Severity Alert risk factor decreases the risk when the alert is low severity.
  1. From the menu bar, select Configure > Content > Content Management.
  2. See Manage risk factors in Administer Splunk Enterprise Security.

Analyze risk

You can use the Risk Analysis dashboard to assess relative changes in risk scores and examine the events that contribute to an object's risk score.

  1. From the menu bar, select Risk Analysis.
  2. See Risk Analysis in Use Splunk Enterprise Security.
Last modified on 11 August, 2021
PREVIOUS
Triage notable events in
  NEXT
Administration in

This documentation applies to the following versions of Splunk® Security Analytics for AWS: 1.0.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters