Skip to main content
 
 
Splunk Lantern

Investigating interesting behavior patterns with risk-based alerting

 

As an analyst working with Splunk Enterprise Security, you frequently look at the Incident Review panel and notice a lot of notables there. Many of these notables, on their own, aren't significant enough to warrant an alert being associated with them. However, they could warrant investigation when they occur in conjunction with other notables, indicating a pattern of behavior that could be suspicious. You want a better way to work with these events without adding extra noise to your already noisy alert environment.

Solution

The information in this article applies to Splunk Enterprise Security (ES) versions 7.x. If you have upgraded to Splunk Enterprise Security version 8.x, some terminology and steps might not apply. For additional assistance on this use case with ES 8.x, Splunk Professional Services can help.

Risk-based alerting allows you to alert based on combinations of observations about a user or system. It acts like a layer between observation and alerting by building risk scores that only trigger when the observations and metadata associated with that user or system reach a certain threshold.

There are several benefits associated with this:

  • You can improve your operational maturity. You'll move from seeing alerts associated with disconnected security events to seeing much more contextualized security stories that allow you to see patterns of behavior over time.
  • You can operationalize the MITRE ATT&CK framework, use frameworks like the Cyber Kill Chain framework, or even develop your own frameworks, depending on what security metadata you want to apply to individual data events.
  • You can reduce alert volume while increasing alert fidelity. Instead of ignoring noise, you combine observations and then alert on them in a more intelligent manner.

You can learn more about how to set up risk-based alerting in our article, Implementing risk-based alerting.

After you've got risk-based alerting set up, watch this video to see a demo of how to work with risk-based alerts in Splunk Enterprise Security. This video shows you:

  • How to use the event timeline to see when events occurred
  • How to review risk scores, MITRE ATT&CK annotations and threat objects
  • How risk scores are calculated and enriched with security metadata

Next steps

This article has been brought to you by Splunk Education. We’ve learned that the strongest superheroes up-skill with Splunk Education. That’s why we are making Splunk training easier and more accessible than ever with more than 20 self-paced, free eLearning courses. You can start with foundational courses like Intro to Splunk or dive into more advanced courses like Search Under the HoodResult Modification, and many more. Enroll today so you have the skills to detect the good, the bad, and the unproductive.

For a comprehensive RBA demo and workshop, or to engage Professional Services for setting up RBA in your environment, reach out to your Splunk account team or representative. In addition, these Splunk resources might help you understand and implement this use case: