Solved: Tuning Risk Scores and resetting score values

sheamus69 · ‎05-18-2016

Hi,

I'm in the process of tuning our risk scores, as applied to objects (users or assets) from a correlation search.

What I'm uncertain about is, once I have configured the scoring in a manner that I am happy with, can I reset all the scores currently applied to objects so as to operate from a fresh start? The existing risk scores, being poorly configured, would presumably skew any risk analysis results going forward?

Any advice given here would be gratefully recieved.

Sheamus.

Edit:

This question is for Splunk Enterprise Security 4.0.1.

sheamus69 · ‎05-20-2016

OK, I think I've figured this out for myself.

Splunk doesnt need to baseline the scores, as the scores are calculated for a given timeframe. So a systems risk score would give a different value when looked a over 24 hours as opposed to over 7 days.

This effectively means that old risk values will drop out over time - which should reflect the fact that risk factors would, hopefully, get rectified once identified.

View solution in original post

sheamus69 · ‎05-20-2016

OK, I think I've figured this out for myself.

Splunk doesnt need to baseline the scores, as the scores are calculated for a given timeframe. So a systems risk score would give a different value when looked a over 24 hours as opposed to over 7 days.

This effectively means that old risk values will drop out over time - which should reflect the fact that risk factors would, hopefully, get rectified once identified.

jkat54 · ‎05-18-2016

Is this question for splunk enterprise security?

sheamus69 · ‎05-19-2016

Yes, Splunk ES 4.0.1. Apologies, should have given that information.

Tuning Risk Scores and resetting score values

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases