Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Assign Risk in Correlation Search

panovattack
Communicator
‎08-23-2018 07:51 AM

We are trying to integrate the risk analysis framework in our incident response process.

We have developed a library of correlation searches where the results produce multiple objects upon which we need to assign risk, e.g. src, dest, users. When we and the "| sendalert risk" components to the correlation searches, notable events no longer generate and risk scores are NOT applied. When we run the searches as ad-hoc, the risk scores are properly assigned and the results appear as expected.

Can "| sendalert" not appear in a correlation search? The Risk Analysis Adaptive response action is not sufficient, as we can not dynamically set the risk tolerance, nor set risk against multiple objects with that action.

e.g: | eval risk_score=case(severity=="critical", 20, severity=="high", 15, severity=="medium", 10, severity=="low", 5

0 Karma
Reply

kchamplin_splun
Splunk Employee
Splunk Employee
‎12-04-2018 12:22 PM

There are these examples in docs:
http://docs.splunk.com/Documentation/ES/5.2.0/User/RiskScoring
The appendpipe option is pretty good, but that said multiple | sendalerts should be supported as well - what version of ES are you on?

0 Karma
Reply

smoir_splunk
Splunk Employee
Splunk Employee
‎11-13-2018 12:38 PM

See https://answers.splunk.com/answers/594711/splunk-enterprise-security-how-can-i-configure-a-c.html and http://dev.splunk.com/view/enterprise-security/SP-CAAAFBD to learn how to add risk to multiple objects.

0 Karma
Reply

panovattack
Communicator
‎11-13-2018 01:14 PM

The approach here does not seem to work when it comes to a correlation search. Multiple | sendalerts work in ad-hoc, but not when run as part of a correlation search.

0 Karma
Reply

panovattack
Communicator
‎09-26-2018 11:24 AM

Just an update that we are waiting for a Splunk and ES upgrade to see if that fixes the issue. We'd like to be able to dynamically assign risk to multiple objects in a single correlation search.

0 Karma
Reply

panovattack
Communicator
‎11-13-2018 12:01 PM

Still can't seem to figure it out after upgrade. Is there anyway to reliably assign risk to multiple objects from a correlation search or a saved search? Or is the limit one?

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎09-30-2019 09:16 PM

I'm adding a score to several objects from one event from a saved search

I do this

| eval risk_object=mvappend(field_1."|system",field_2."|user",field_3."|user",field_4."|other")
| eval risk_score=1
| mvexpand risk_object
| eval x=split(risk_object, "|")
| eval risk_object=mvindex(x, 0, 0), risk_object_type=mvindex(x,1,1)
| fields - x

and then sendalert at the end, so for each event, I get 4 events.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...