Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Assign Risk in Correlation Search

panovattack
Communicator
‎08-23-2018 07:51 AM

We are trying to integrate the risk analysis framework in our incident response process.

We have developed a library of correlation searches where the results produce multiple objects upon which we need to assign risk, e.g. src, dest, users. When we and the "| sendalert risk" components to the correlation searches, notable events no longer generate and risk scores are NOT applied. When we run the searches as ad-hoc, the risk scores are properly assigned and the results appear as expected.

Can "| sendalert" not appear in a correlation search? The Risk Analysis Adaptive response action is not sufficient, as we can not dynamically set the risk tolerance, nor set risk against multiple objects with that action.

e.g: | eval risk_score=case(severity=="critical", 20, severity=="high", 15, severity=="medium", 10, severity=="low", 5

0 Karma
Reply

kchamplin_splun
Splunk Employee
Splunk Employee
‎12-04-2018 12:22 PM

There are these examples in docs:
http://docs.splunk.com/Documentation/ES/5.2.0/User/RiskScoring
The appendpipe option is pretty good, but that said multiple | sendalerts should be supported as well - what version of ES are you on?

0 Karma
Reply

smoir_splunk
Splunk Employee
Splunk Employee
‎11-13-2018 12:38 PM

See https://answers.splunk.com/answers/594711/splunk-enterprise-security-how-can-i-configure-a-c.html and http://dev.splunk.com/view/enterprise-security/SP-CAAAFBD to learn how to add risk to multiple objects.

0 Karma
Reply

panovattack
Communicator
‎11-13-2018 01:14 PM

The approach here does not seem to work when it comes to a correlation search. Multiple | sendalerts work in ad-hoc, but not when run as part of a correlation search.

0 Karma
Reply

panovattack
Communicator
‎09-26-2018 11:24 AM

Just an update that we are waiting for a Splunk and ES upgrade to see if that fixes the issue. We'd like to be able to dynamically assign risk to multiple objects in a single correlation search.

0 Karma
Reply

panovattack
Communicator
‎11-13-2018 12:01 PM

Still can't seem to figure it out after upgrade. Is there anyway to reliably assign risk to multiple objects from a correlation search or a saved search? Or is the limit one?

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎09-30-2019 09:16 PM

I'm adding a score to several objects from one event from a saved search

I do this

| eval risk_object=mvappend(field_1."|system",field_2."|user",field_3."|user",field_4."|other")
| eval risk_score=1
| mvexpand risk_object
| eval x=split(risk_object, "|")
| eval risk_object=mvindex(x, 0, 0), risk_object_type=mvindex(x,1,1)
| fields - x

and then sendalert at the end, so for each event, I get 4 events.

0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...