Isolate threats using risk-based alerting
Buttercup Games, a fictitious company, runs an e-commerce site to sell its products. Kay, the manager of the security operations center (SOC) at Buttercup Games, receives numerous notables during the course of a morning indicating various suspicious behaviors over a specific time period that might be a risk to their organization.
        
      
Without risk-based alerting
Prior to using risk-based alerting (RBA), Kay requested Ram, a security analyst on their team, to use Splunk Enterprise Security to run correlation searches on all assets and identities to generate security events and create notables or risk alerts. As is typical of other security information and event management (SIEM) environments, the correlation searches generated an excessive amount of notables, over 10,000 alerts each day. The sheer volume of alerts caused Ram to overlook mission critical alerts because manually parsing through thousands of notables to identify patterns caused exhaustion and burnout.
Additionally, Ram was not able to see notables in context because separate alerts got assigned to other security analysts at different points in time. Each analyst saw only a single event in a string of activities and dismissed the notable. None of the analysts had the full context of the notable and were receiving too many low-level alerts, which caused them to miss the bigger picture. This method of threat detection was neither efficient nor effective for Buttercup Games because high-fidelity notables were often suppressed or abandoned and were not incorporated into the investigative story, which created visibility gaps.
With risk-based alerting
Now, Kay asks Ram to use the risk alerting framework in Splunk Enterprise Security to dynamically adjust risk scores for assets and identities based on specific conditions. With RBA, threat detection focuses on multiple parameters such as security metadata or alert source, ATT&CK technique, and risk score. Risk scores are dynamically modified based on the attributes of the risk object, such as a privileged user, or an external server. Ram receives alerts only after reaching a certain risk threshold that correlates to the same object.
Dynamically adjusting risk scores allows Ram to automatically raise the risk scores associated with specific assets and identities by assigning these conditions as risk factors. Assigning risk factors helps to expose notables for investigation. Therefore, Ram can prioritize suspicious behavior and mitigate risk by taking quick action on the risk event.
The risk alerting framework in Splunk Enterprise Security allows Kay and Ram to conduct higher value investigations through more streamlined and effective threat isolation. Ram leverages the risk alerting framework to explore the high volume and noisy endpoint data that Kay asked him to investigate.
The following figure shows an example of how a single risk notable created by a risk incident rule uses multiple events, which do not trigger individual alerts.
        
      
This scenario describes how Kay, a SOC manager, and Ram, a security analyst, use risk scores and risk factoring to classify the notables based on risk level and map out the risk in their security environment by taking these steps.
- Assign risk scores to assets and identitiesNo Content found for /index.php?title=Documentation:ES:Usecases:AssignRiskScores&action=edit&redlink=1
- Generate notables using correlation searchesNo Content found for /index.php?title=Documentation:ES:Usecases:GenerateRiskNotables&action=edit&redlink=1
- Add annotations to enrich correlation search resultsNo Content found for /index.php?title=Documentation:ES:Usecases:AddAnnotations&action=edit&redlink=1
- Classify risk objects based on annotationsNo Content found for /index.php?title=Documentation:ES:Usecases:ClassifyRiskObjects&action=edit&redlink=1
- Add a risk message and a risk score to a notableNo Content found for /index.php?title=Documentation:ES:Usecases:AddRiskMessage&action=edit&redlink=1
- Adjust risk scores for specific objectsNo Content found for /index.php?title=Documentation:ES:Usecases:AdjustRiskScore&action=edit&redlink=1
See also
For more information on how risk-based alerting works in Splunk Enterprise Security, see the product documentation: