Troubleshoot common issues with risk-based alerting
Following are some common issues that you might see when using risk-based alerting in Splunk Enterprise Security:
Risk index does not populate
Issue
The risk index index=risk does not generate risk events even after you have enabled the risk rules and the risk analysis adaptive response action.
Cause
- SPL for the risk rule is incorrect
- Risk rules are searching an empty repository
- Excessive number of risk rules which are not enabled
Solution
- Verify the SPL of your risk rules.
- Enable risk rules that might initially generate numerous events. Enabling the risk rules and generating risk events allows you to interact and adjust the risk rules.
Excessive number of risk notables
Issue
Too many risk notables that do not represent high fidelity alerts.
Cause
Excessive risk associated with some risk incident rules can generate excessive risk notables.
Solution
Adjust risk incident rules, threat objects, and risk notables so that they are meaningful to security analysts.
- In the Risk Analysis dashboard, navigate to the Most Active Sources to analyze the risk incident rules as follows:
| tstats summariesonly=false sum(All_Risk.calculated_risk_score) as risk_score,dc(All_Risk.risk_object) as risk_objects,count FROM datamodel=Risk.All_Risk WHERE * All_Risk.risk_object_type="*" (All_Risk.risk_object="*" OR risk_object="*") BY source | sort 1000 - count,risk_scoreUsing this search, identify the specific combinations of field values that contribute more risk than necessary.
For example, a risk incident rule for Endpoint Detection and Response (EDR) that generates multiple alerts indicates a high level of risk. However, a single alert generated by a risk incident rule for HTTP POST to Potentially Suspicious Domain might not represent similar risk. Thus, the analyst must use their judgement to determine whether to use allow lists or adjust the risk score, or both.
- Analyze the threat objects associated with the noisiest risk incident rule as follows:
| tstats sum(All_Risk.calculated_risk_score) as score_sum,values(All_Risk.calculated_risk_score) as score,dc(All_Risk.risk_object) as risk_objects,count FROM datamodel=Risk.All_Risk WHERE source="Threat - RR - Name of Our Noisy Rule - Rule" BY All_Risk.threat_object | sort - score_sumUsing this search, identify the specific combinations of field values that contribute more risk than necessary.