Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Assign multiple risk objects in Risk Analysis

vamshikn72
Explorer
‎04-27-2021 11:16 AM

How to assign multiple risk object fields and object types in Risk analysis response action. I know it's possible from search using appendpipe and sendalert but we want this to be added from the response action.

Example as below:

Risk Score - 20

Risk Object Field - user, ip, host

Risk Object Type - System, user

vamshikn72_0-1619547260431.png

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎04-27-2021 10:01 PM

In your correlation search create a fields risk_object and risk_object_type containing your values and have one row per risk entry you want to create. You can also give each row a different risk score if you want to. This example shows how you can use those fields.

| makeresults
| fields - _time
| eval risk_object=split("vamshikn72:user,10.10.13.11:system,machine1:system", ",")
| mvexpand risk_object
| rex field=risk_object "(?<risk_object>[^:]*):(?<risk_object_type>.*)"
| eval risk_score=20

In the configuration dialog, just leave the risk object and type fields blank. If you include a score field in the row, it will use that instead.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

MaverickT
Communicator
‎04-29-2021 11:11 PM

The easyest way is to upgrade your Enterprise Security to 6.4, which has the option to add multiple risk analysis to the same result.

 

MaverickT_0-1619763085817.png

 

Reply
Solved! Jump to solution

vamshikn72
Explorer
‎05-03-2021 08:14 AM

Thanks @MaverickT. We came to know about this later and asked our admins to upgrade.

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎04-27-2021 10:01 PM

In your correlation search create a fields risk_object and risk_object_type containing your values and have one row per risk entry you want to create. You can also give each row a different risk score if you want to. This example shows how you can use those fields.

| makeresults
| fields - _time
| eval risk_object=split("vamshikn72:user,10.10.13.11:system,machine1:system", ",")
| mvexpand risk_object
| rex field=risk_object "(?<risk_object>[^:]*):(?<risk_object_type>.*)"
| eval risk_score=20

In the configuration dialog, just leave the risk object and type fields blank. If you include a score field in the row, it will use that instead.

0 Karma
Reply
Solved! Jump to solution

vamshikn72
Explorer
‎04-28-2021 11:48 AM

Hi @bowesmana, Passing blank values in the response action and adding scores to the eval helped me a lot. Thanks for your quick help.

Search example I used:

| makeresults
| eval field_user="noob", field_ip="8.8.8.8", field_host="machine"
| eval risk_object=if(isnotnull(field_host),field_host,null()),risk_object_type=if(isnotnull(field_host),"system",null())
| appendpipe
[| eval risk_object=if(isnotnull(field_user),field_user,null()),risk_object_type=if(isnotnull(field_user),"user",null())]
| appendpipe
[| eval risk_object=if(isnotnull(field_ip),field_ip,null()),risk_object_type=if(isnotnull(field_ip),"system",null())]
| eval risk_score=20
| fields - _time field_user field_ip field_host

Reply
Get Updates on the Splunk Community!

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...

Buttercup Games: Further Dashboarding Techniques (Part 6)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top