Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Tuning Risk Scores and resetting score values

sheamus69
Communicator
‎05-18-2016 01:54 AM

Hi,

I'm in the process of tuning our risk scores, as applied to objects (users or assets) from a correlation search.

What I'm uncertain about is, once I have configured the scoring in a manner that I am happy with, can I reset all the scores currently applied to objects so as to operate from a fresh start? The existing risk scores, being poorly configured, would presumably skew any risk analysis results going forward?

Any advice given here would be gratefully recieved.

Sheamus.

Edit:

This question is for Splunk Enterprise Security 4.0.1.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sheamus69
Communicator
‎05-20-2016 03:56 AM

OK, I think I've figured this out for myself.

Splunk doesnt need to baseline the scores, as the scores are calculated for a given timeframe. So a systems risk score would give a different value when looked a over 24 hours as opposed to over 7 days.

This effectively means that old risk values will drop out over time - which should reflect the fact that risk factors would, hopefully, get rectified once identified.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sheamus69
Communicator
‎05-20-2016 03:56 AM

OK, I think I've figured this out for myself.

Splunk doesnt need to baseline the scores, as the scores are calculated for a given timeframe. So a systems risk score would give a different value when looked a over 24 hours as opposed to over 7 days.

This effectively means that old risk values will drop out over time - which should reflect the fact that risk factors would, hopefully, get rectified once identified.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎05-18-2016 05:01 AM

Is this question for splunk enterprise security?

Reply
Solved! Jump to solution

sheamus69
Communicator
‎05-19-2016 01:02 AM

Yes, Splunk ES 4.0.1. Apologies, should have given that information.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...