Create an ad-hoc risk entry to adjust risk scores in Splunk Enterprise Security

Create an ad-hoc risk entry to make a manual, one-time adjustment to an object's risk score. You can use ad hoc risk entries to add a positive or negative number to the risk score of an object.

Add an ad hoc risk entry to neutralize risk manually or as part of an automation when you close an event. You can describe a field that you want to search and select a value for the field. You can then either add, subtract, or multiply the risk score at your discretion.

Adding an ad hoc risk entry lets you add more risk for accounts with administrative privileges, executive systems, external assets, and so on. It also lets you reduce the risk for known entities. You can even reduce the risk to zero to ensure that the event gets tracked but does not create notables. This lets you use the event in conjunction with other contextual events and assign risk only when the events are seen together.

Follow these steps to create an ad-hoc risk entry:

  1. Select Security Intelligence > Risk Analysis.
  2. Select Create Ad-hoc Risk Entry.
  3. Complete the form.
  4. Select Save.
Risk modifiers Description Value
Risk score Displays the relative risk of an asset or identity such as a device or a user in your network environment over time. Positive or negative integer.
Risk object Represents a system, host, device, user, role, credential, or any object that the correlation search reports on. Text field. You can also enter a wildcard character with an asterisk (*).
Risk object type Maps the risk object to a specific type. Example: system, user, hash_values, network_artifacts, host_artifacts, tools, other