One of the main focuses of any Security Operations Center is to review and triage generated alerts. Alerts notify the team of a potential threat, anomaly, or incident. As time goes on, adding new data sources, applications, or cloud environments can begin to overwhelm the alerting process or even cause a change in focus. Security analysts must have a way to categorize alerts by priority and level of risk. Some alerts may have a higher urgency based on the criticality of the system. For example, you might put a higher priority on an alert that has to do with your production web server rather than your email server. Splunk Enterprise Security provides the capability to change your alert priority based on your assessment of risk to your business.
Prioritization by Urgency
In Splunk Enterprise Security, the notable events are assigned an urgency level of Unknown, Low, Medium, Informational, High, or Critical. These are automatically assigned based on certain settings in your correlation search and help you categorize, track, and assign the events. You can customize the default settings in order to change the priority level.
Prioritization by Risk
On the Incident Review page in Splunk Enterprise Security, you can create custom risk notables to identify threats in your environment. In your notable, you can set the fields for the
risk_object as well as the
risk_score. Doing so allows you to set a higher score for your most important assets and prioritize alerting in order to have a faster response time for the most critical threats.
What processes can I implement for more efficient alert prioritization?
Splunk recommends following this prescriptive adoption motion: Splunk Adoption Maturity: Risk-based alerting. This guide walks you step-by-step through managing assets, data, and alert volumes, as well as automation and understanding success and leadership buy-in.
These additional resources will help you implement this guidance:
- Product Tip: Implementing risk-based alerting