Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Assign Risk in Correlation Search

panovattack
Communicator
‎08-23-2018 07:51 AM

We are trying to integrate the risk analysis framework in our incident response process.

We have developed a library of correlation searches where the results produce multiple objects upon which we need to assign risk, e.g. src, dest, users. When we and the "| sendalert risk" components to the correlation searches, notable events no longer generate and risk scores are NOT applied. When we run the searches as ad-hoc, the risk scores are properly assigned and the results appear as expected.

Can "| sendalert" not appear in a correlation search? The Risk Analysis Adaptive response action is not sufficient, as we can not dynamically set the risk tolerance, nor set risk against multiple objects with that action.

e.g: | eval risk_score=case(severity=="critical", 20, severity=="high", 15, severity=="medium", 10, severity=="low", 5

0 Karma
Reply

kchamplin_splun
Splunk Employee
Splunk Employee
‎12-04-2018 12:22 PM

There are these examples in docs:
http://docs.splunk.com/Documentation/ES/5.2.0/User/RiskScoring
The appendpipe option is pretty good, but that said multiple | sendalerts should be supported as well - what version of ES are you on?

0 Karma
Reply

smoir_splunk
Splunk Employee
Splunk Employee
‎11-13-2018 12:38 PM

See https://answers.splunk.com/answers/594711/splunk-enterprise-security-how-can-i-configure-a-c.html and http://dev.splunk.com/view/enterprise-security/SP-CAAAFBD to learn how to add risk to multiple objects.

0 Karma
Reply

panovattack
Communicator
‎11-13-2018 01:14 PM

The approach here does not seem to work when it comes to a correlation search. Multiple | sendalerts work in ad-hoc, but not when run as part of a correlation search.

0 Karma
Reply

panovattack
Communicator
‎09-26-2018 11:24 AM

Just an update that we are waiting for a Splunk and ES upgrade to see if that fixes the issue. We'd like to be able to dynamically assign risk to multiple objects in a single correlation search.

0 Karma
Reply

panovattack
Communicator
‎11-13-2018 12:01 PM

Still can't seem to figure it out after upgrade. Is there anyway to reliably assign risk to multiple objects from a correlation search or a saved search? Or is the limit one?

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎09-30-2019 09:16 PM

I'm adding a score to several objects from one event from a saved search

I do this

| eval risk_object=mvappend(field_1."|system",field_2."|user",field_3."|user",field_4."|other")
| eval risk_score=1
| mvexpand risk_object
| eval x=split(risk_object, "|")
| eval risk_object=mvindex(x, 0, 0), risk_object_type=mvindex(x,1,1)
| fields - x

and then sendalert at the end, so for each event, I get 4 events.

0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...