Use this high level tutorial to deploy risk-based alerting (RBA) in Splunk Enterprise Security and investigate threat in you security environment. Additional customizations might be required to maximize the impact of risk based alerting for more complex security environments. For more information on tuning and curating risk using RBA, see Curate risk using risk based alerting.
If you have a support contract, you can file a case to further customize risk based alerting using the Splunk Support Portal. See Support and Services.
Follow these steps to configure risk-based alerting:
- Update assets and identities
- Configure data models
- Run risk based correlation searches
- Use risk factors to dynamically adjust risk scores
- Review notables to identify risk
- Curate risk to reduce false positives
- Configure more risk rules to evaluate risk
Update assets and identities
Maintaining your asset and identity framework is key to deploying risk-based alerting in your organization. Assets and identities such as systems and users in your organization are considered risk objects. Follow these guidelines to optimally configure assets and identities for RBA in Splunk Enterprise Security:
- Review the completeness of your LDAP data and determine how critical the various assets and identities are for your organization's mission and processes so that you can prioritize the risk associated with the assets and identities accordingly.
- In Splunk Enterprise Security, navigate to Search > Search.
- Display all your asset and identity data.
On the search bar, type the following to list identity data:
(For identities)| `identities`
On the search bar, type the following to list asset data:
(For assets: )| `assets`
- Review the Risk Analysis framework in Splunk Enterprise Security and formulate a plan to raise risk scores of the assets and identities in your organization based on their context.
An automatic lookup from within the SA-Identity Management app in Splunk Enterprise Security compares indexed events with asset and identity data in the asset and identity lists to provide data enrichment and context. The additional asset and identity context added to indexed events helps to identify the criticality of specific assets or identities within your SOC and assign risk scores to them accordingly.
See also- Asset and identity correlation.
- Update assets and identities
- Configure asset and identity correlation
- Collect and extract asset and identity data
- Use the Risk Factor Editor in Splunk Enterprise Security to increase or decrease the risk scores associated with your assets and identities. This helps to customize risk in your security environment based on evolving threat.
Use a vulnerability scanner that identifies and creates an inventory of all the systems connected to your network to ensure the completeness of your asset and identity data. Vulnerability scanning identifies both the operating systems and the software installed on it, along with other attributes such as open ports and user accounts and checks each item in the inventory against one or more databases of known vulnerabilities for potential security breach.
Configure data models
Tune data models to write correlation searches that generate risk notables in Splunk Enterprise Security.
Data models group normalized events that exist in different indexes and sourcetypes and help to review the performance, accuracy, and data diversity in your security organization.
Follow these steps to configure data models for risk based alerting:
- Audit your datamodel performance.
In Splunk Enterprise Security, navigate to Audit > Datamodel Audit to check the data model accelerations and acceleration time frames.
Alternatively, you can type the following in your browser to audit your data models:https://<SPLUNK instance>/en-US/app/SplunkEnterpriseSecuritySuite/datamodel_audit - Check that the indexes feeding the common information data models (CIM) are accurate by verifying that they are tagged clearly and consistently.
In Splunk Enterprise Security, navigate to Configure > CIM Setup to check the data model settings and index configurations.
Alternatively, you can type the following in your browser to verify the data model configurations:https://<SPLUNK instance>/en-US/app/SplunkEnterpriseSecuritySuite/cim_setup - Check the diversity of your network data by reviewing network traffic, web, intrusion detection system (IDS), email, and authentication. You might also review the endpoints, network sessions, and network resolutions in your security environment to ensure that a large and varied dataset is analyzed to assess threat effectively.
See also
- Configure data models
- Create and manage data models in Splunk Enterprise Security
Run risk based correlation searches
Risk-based correlation searches are searches that mine the risk index and aggregate the risk associated with risk objects (assets and identities). When the sum of risk scores for all risk events associated with a risk object reaches a certain threshold, a risk notable is generated.
Follow these steps to run risk based correlation searches:
- Enable the default risk-based correlation searches provided by Splunk Enterprise Security to learn how risk based alerting works. To enable a risk based correlation search:In the Incident Review page, filter the correlation searches by risk and select the checkbox next to the default correlation searches.
All other correlation searches must be disabled to avoid unnecessary data noise.
Following are the default risk based correlation searches:
ATT&CK Tactic Threshold Exceeded For Object Over Previous 7 DaysRisk Threshold Exceeded For Object Over 24 Hour Period
The risk based correlation search:
ATT&CK Tactic Threshold Exceeded for Object Over Previous 7 dayscreates risk notables when the number of MITRE tactics exceeds three over the last seven days i.e. tactic_count >=3 and source_count >=4. This risk based correlation search searches the risk index for data diversity as defined by the MITRE ATT&CK framework.The risk-based correlation search
Risk Threshold Exceeded for Object Over 24 Hour Periodcreates risk notables when the risk score for an object exceeds 100 over the last 24 hours i.e. risk_score_sum > 100. This risk based correlation search searches the risk index and aggregates risk scores by object. For example, if an object has eight related events, each with a calculated risk score, the search adds all the eight scores together. This default risk based correlation search has a default setting of a 24 hour search window. - Specify the search time range and search schedule to run the risk based correlation search. Use the following search timeline and schedule settings to balance your search performance, account for data lags, and set longer time frames to evaluate threat:
- Earliest: -1h@h
- Latest: @h
- Schedule Cron: 07 * * * *
Risk based correlation searches are usually run once in an hour.
- Use the Correlation Search editor to adjust the risk scores and severity associated with the risk based correlation search.You can also add dynamic severity to the search as follows:
For example:- For a risk score > 100 over 12 hours, Severity is Medium
- For a risk score > 150 over 12 hours, Severity is High
- For a risk score > 200 over 12 hours, Severity is Critical
Do not overthink how to assign risk scores since the risk score of a single event matters less than the total number of events related to an individual object. When you assign risk scores to risk objects, you assign scores to individual events and the event scores are aggregated over time.
- Create a dynamic risk message for each risk based correlation search. Make sure that the risk message is descriptive, yet concise and consistent.
A risk message is an adaptive response action. Adding a custom risk message to a risk rule may help to build detections based on specific information, such as risk scores. For more information on how to create a risk message, see Create a risk message. - Use the Risk Analysis adaptive response action in the Correlation Search Editor to assign risk to multiple risk objects by specifying risk scores, risk objects, risk object types, threat objects, threat object types, and a risk message.
Prior to Splunk Enterprise version 6.4.x, only a single risk object could be configured in a correlation search.
For more information on assigning risk, see Assign risk in Splunk Enterprise Security.
Following are some common pairings of risk object field with risk object type:
- user/source
- source/dest
- user/source/dest
See also
- Use default correlation searches to generate risk notables in Splunk Enterprise Security
- How risk notables are generated
Create a risk message
Follow these steps to create a risk message:
- In Splunk Enterprise Security, select Configure > Content > Content Management.
- Filter to display any risk based correlation search.
- Click on the risk incident rule to open the correlation search editor.
- Scroll to Adaptive Response Actions.
- Click Add New Response Action.
- Scroll to select the Risk Analysis adaptive response action from the drop down list so that when the correlation search finds events, it creates risk events in the risk index.
- Type a risk message. For example: "Possible Bypass of User Account Controls".
You can also add custom fields to the risk message using the$variable$format. For example: The instance of$parent_process_name$spawning$process_name$was identified as an attempt to add a certificate to the store on endpoint$dest$by user$user$ - Add risk modifiers by populating the following fields:
- Risk Score
- Risk Object Field
- Risk Object Type
- Click Save.
Use risk factors
Risk modifiers are key to calculating risk scores and adjusting risk scores for risk objects. Risk factors are multipliers of risk that are based on the characteristics of the specific user or asset. You can specify conditions to dynamically adjust risk scores and simplify the threat investigation process by surfacing suspicious behavior.
For more information on risk factors, see
- Create risk factors in Splunk Enterprise Security
- Manage risk factors in Splunk Enterprise Security
- Use default risk factors in Splunk Enterprise Security
Configure risk factors with the following conditions:
- Watchlist Users: watchlist=true, multiply by 1.2
- Critical Priority – Asset: priority=critical, multiply by 1.2
- Critical Priority – User: priority=critical, multiply by 1.2
Evaluating data based on individual criticality and prioritizing key data elements are central to verify the completeness of your assets and identity data in Splunk ES. See Update the assets and identity framework.
Splunk ES calculates the total risk score dynamically as risk factor calculations are displayed only in the risk data model, not the risk index.
Review notables to identify risk
Correlate and aggregate the risk associated with assets and identities.
- In Splunk Enterprise Security, click on Content > Content Management to open the risk based correlation search in the correlation search editor.
- Scroll to Adaptive Response Actions > Notable.
- Use the following search in the Drill-down Search to identify:
- All relevant risk events applied to the risk object including risk message, src, dest, user, and risk factors
- MITRE ATT&CK annotations
- Related risk objects associated with the risk events
| from datamodel:"Risk.All_Risk" | search risk_object="$risk_object$" | table _time, risk_object, risk_object_type, source, annotations.mitre_attack.mitre_tactic_id, annotations.mitre_attack.mitre_technique_id, dest, src, user, risk_message, calculated_risk_score, risk_factor* | rename annotations.mitre_attack.mitre_tactic_id as mitre_tactic_id, annotations.mitre_attack.mitre_technique_id as mitre_technique_id | eval risk_event_type="primary_object" | append [| from datamodel:"Risk.All_Risk" | search risk_object!=" $risk_object$" (dest="$risk_object$" OR src="$risk_object$" OR user="$risk_object$") | table _time, risk_object, risk_object_type, source, annotations.mitre_attack.mitre_tactic_id, annotations.mitre_attack.mitre_technique_id, dest, src, user, risk_message, calculated_risk_score, risk_factor* | rename annotations.mitre_attack.mitre_tactic_id as mitre_tactic_id, annotations.mitre_attack.mitre_technique_id as mitre_technique_id | eval risk_event_type="related_object" ]Adding this drill down to notable events helps drill down into the risk object from a notable event within the '''Incident Review''' panel.
Curate risk to reduce false positives
Use throttling and search filtering to adjust risk based alerting and generate high fidelity notables to reduce false positives. You can throttle by risk objects, risk scores, and risk message. You might also add filters to prevent known false positives from being written to the risk index. For example: signature!="", URL!="*.google.com*" . You can also adjust the searches that aggregate risk from the events in the risk index by throttling on risk object, source, and risk incident rules. For more information on throttling, see Throttle alerts.
You can also suppress notables to prevent a sudden flood of new notables when a new risk rule is deployed. For more information on suppressing risk notables or alerts, see Define alert suppression groups to throttle sets of similar alerts
Additionally, you can suppress notables and prevent a sudden flood of notables from impacting your SOC by setting the Urgency level of some notables as Informational.
For more information on tuning risk notables to curate risk, see Curate risk in your security environment using risk based alerting.
Configure more risk based correlation searches to evaluate risk
Configure, deploy, and adjust more risk rules to experiment with the differences between the alerts generated by risk based alerting in Splunk Enterprise Security that might range from data configuration to detection writing to incident response playbooks.
The total number of risk based correlation searches do not impact threat detection since dynamic rules can produce exponential amounts of visibility in your security environment. Data source diversity and the number of risk events that are recorded to your risk index on a weekly basis are the true measure of visibility into your security environment.
Use visualizations to drill down on threat
Use dashboard visualizations in Splunk Enterprise Security to drill down on risk notables and investigate threat.
See also
- Introduction to the dashboards
- Use the Threat Topology visualization to analyze risk notables
- Use the Risk Timeline to analyze risk events
