Using entity risk scores for detections in Splunk Enterprise Security

Entity risk scores (ERS) help you identify users, hosts, or devices that might require attention based on recent risk activity. Splunk Enterprise Security updates these scores every 20 minutes by aggregating risk events and storing them in the ers index. ERS values are commonly used to highlight high-risk entities and trigger additional investigation or automated workflows in Splunk Enterprise Security.

You can create finding-based detections that automatically generate findings when an entity's risk score passes a threshold you define. This helps you surface entities that might need immediate review.

The following example demonstrates how to create a basic detection that alerts when a user’s ERS exceeds 80.

index=ers ers>=80 risk_object_type=user
| stats max(ers) as entity_risk_score values(detections) as detections by normalized_risk_object

This search does the following:

index=ers searches the ERS index.
ers>=80 returns only entities with a risk score of 80 or higher.
risk_object_type=user limits results to user entities.
stats max(ers) returns the highest ERS value per user.
values(detections) lists detections already linked to that entity.
by normalized_risk_object groups results by the normalized entity name.

The search returns a list of high-risk users and any detections already associated with them. You can use this output as the basis for a Splunk Enterprise Security detection or investigation workflow, such as generating findings automatically when a user's score crosses your threshold.