Risk scoring in Splunk Enterprise Security
A risk score is the single metric that shows the relative risk of an entity over time. An entity refers to any asset, identity, user, or device in your security environment that can be used by Splunk Enterprise Security to identify potential security threats. As an administrator in Splunk Enterprise Security, you can categorize entities and assign them a risk score. Splunk Enterprise Security labels a device such as a laptop's hostname as a system or a username as a user.
Detections in Splunk enterprise Security help to correlate machine data with known threats. Risk-based alerting (RBA) correlates suspicious log events to an entity by creating an intermediate finding. Splunk Enterprise Security indexes all risks as events in the risk index. Detections search for a conditional match to a question. When the detection finds a match, it generates an intermediate finding in the risk index as a potential threat. Another detection then aggregates intermediate findings over time for an entity and will create a finding in the notable index when these events surpass a threshold. This finding can now be investigated in the analyst queue.
As an administrator, you can edit detections to modify the risk score that the detection assigns to an entity. Initially, Splunk Enterprise Security might score some of the risk-based findings higher. However, you can customize your detections and score your risk findings and investigations appropriately. Over time, as you run the detection, you might discover that some of the findings indicate expected behavior in your security environment. In such cases, you can apply less risk to those findings instead of lowering the overall risk score.
Additionally, you can also use findingrisk scores as an input type for finding-based detections to display high confidence finding groups based on risk so that you can reduce alert volume and focus only on findings that might represent a security threat.
As part of the investigative workflow, you must assign, review, or close these risk-based findings and investigations.
Display of risk scores in Splunk Enterprise Security
Use one of the following methods to view risk scores in Splunk Enterprise Security:
- In Splunk Enterprise Security, select Mission Control and review the analyst queue. The risk scores associated with findings and investigations are displayed in a separate column on the Analyst queue.
- In Splunk Enterprise Security, go to Analytics and select Dashboards. Then, select the Risk analysis dashboard to view Risk scores by entity and Risk scores by annotations. You can also use the Risk analysis dashboard to drill down and investigate risk findings using the Timeline visualization.
Entities with risk events from the past seven days will have an entity risk score (ERS) next to them throughout Splunk Enterprise Security. Colors are used to distinguish between the levels of risk. A yellow badge represents a risk score of 0-25, orange represents 25-50, light red represents 50-75, and dark red represents a risk score above 75.
Not every entity appears with a risk scores in the analyst queue. Only entities that have risk events from the past seven days and a entity type of "system" or "user" are displayed. Risk scores are displayed for the following fields: orig_host, dvc, src, dest, src_user, and user.
How entities impact risk scores in Splunk Enterprise Security
An entity refers to any asset, identity, user, or device in your security environment that can be used by Splunk Enterprise Security to identify potential security threats. As an administrator, you can create entities to categorize anything to which you assign a risk score. For example, you might categorize a laptop as a system entity type and an identity as a user entity type.
When an entity generates an event that is a potential threat, detections can create an intermediate finding which includes a score and metadata like its applicable MITRE ATT&CK technique and tactic. Another detection, such as a risk incident rule or finding-based detection, aggregates these intermediate findings and creates a finding to investigate when they surpass thresholds for metadata like risk score.
An intermediate finding includes the following key fields: entity, entity_type, risk_score, and risk_message.
Entity types
If an entity matches an object in the asset or identity table, Splunk Enterprise Security maps the object as the associated type. For example, an object that matches an asset in the asset lookup maps to the system entity type. However, devices and users do not appear in the corresponding asset and identity tables to identify as system or user entities.
Splunk Enterprise Security defines the following entity types.
| Entity type | Description |
|---|---|
| System | Represents a server, laptop, or physical device in the asset lookup. |
| User | Represents an identity such as a network user, credential, or role in the identity lookup. |
Example: Reset a risk score for an entity
You can reset a risk score for an entity but with certain limitations.
Consider a scenario where a detection generates many findings for an infected system, which leads to a high risk score. Since the finding risk score is over a time period, the score of the entity eventually drops as the events contributing to the score no longer apply. As a result, you might want to manually lower the score depending on your process.
For example, if an entity has a score of 180, you can manually create a risk entry with a risk score of -180. On the Risk Analysis dashboard, select Ad-Hoc Risk Entry. Enter the name and type of the entity, and a score of -180. Now select Save.
The finding risk score is dependent on time frame. While this manual entry is grouped with the original events that created the score of 180, the score will be zero. Once those events are outside of the window, the finding risk score for the entity will be -180 for a time.
See also
For more information on assigning and modifying risk, see the product documentation: