Welcome to the Risk Super Handler for Splunk Enterprise Security

The Risk Super handler for Splunk Enterprise security provides services for:

  • Generating risk events using the Splunk Enterprise Security risk framework for Risk Based Alerting purposes (RBA) with additional levels of features

  • Centralizing the risk definition in a central lookup file referencial, rather than configured on a per correlation search basis

  • Defining a use case reference logic, which is used to lookup the risk definition and allows advanced dynamic rule definition use cases

  • Allowing different levels of risk objects definition, with different risk messages and risk score per risk object

  • Facilitating the transition from a traditional SIEM detection per use case to a Risk Based Alerting approach (RBA)

In a nutshell:

  • A lookup file is created and acts as the central reference for the Risk Rules (RR) use cases, and their risk definition

  • The application provides a “Risk super” alert action which can be enabled per Risk Rule correletation search, as well as a streaming custom command that can be called directly to generate the risk events from upstream results

  • When the Risk Rule triggers, the backend lookups the use case referencial for a match with the use case reference, if there is a match, it loads the risk rules definition from the lookup

  • The Risk definition is applied to the results of the correlation search, and submits these in a pre-formated manner to the Splunk Enterprise Security collectrisk custom command

  • Risk events are created transparently depending on the risk rules and the events content

  • Risk messages can differ per risk object, as well as the risk score

index001.png index002.png

Overview:

Deployment, configuration and usage:

Versions, build history and development: