Skip to main content
Version: 3.3.0

Risk Scoring

Risk scoring in Alert Manager Enterprise (AME) enhances event and alert management by assigning numerical values to prioritize and investigate threats effectively within Splunk Enterprise and Splunk Cloud.

info

Risk Scoring requires an AME Security Pack subscription

Overview

Risk Scoring helps security teams evaluate alert severity, reduce alert fatigue, and focus on critical threats. Using observables (e.g., assets like servers or identities like usernames), AME calculates risk scores based on predefined rules. These scores are visible in the AME user interface under the "Risk Events" and "Observables" tabs, guiding your team’s response.

Key benefits include:

  • Prioritizing high-impact threats.
  • Enriching alerts with contextual data.
  • Tracking risk trends over time.
  • Ensuring low risk events are not part of a bigger story; by accumulating risks over time.

Configuration

Configure risk scoring in AME to align with your security priorities. Follow these steps:

1. Set Up Observables

Ensure observables for assets and identities are configured in AME to enrich alerts with contextual data, such as names or IP addresses, which are used for matching but do not influence risk scores directly (see Observables).

2. Map Alert Fields to Observables

Use the “Event Observable Matching” section in AME Templates to map Splunk alert fields (e.g., name, ip) to observable fields (e.g., name, ip) for enriched risk scoring. For example, add an observable field (e.g., ip) (see Templates).

3. Define Risk Modifiers

For the mapped Observable under "Event Risk Modifiers," add a risk change value (e.g., 100); if the alert results match this observable, AME adds the risk change value to the observable’s risk score and logs a risk event in the tenant’s index (see Templates).

4. Test and Tune

Run test alerts, review events and scores, and refine risk modifiers to match your priorities (see Event Summary.

Risk Event Lifecycle

Total scores are stored within the Observable Collection, whereas single risk events (changes to the risk score) are stored in a Risk Event Collection ame_<tenant>_risk_events.

The lifecycle of the risk score for an asset follows these steps:

  1. Alert triggers: A suspicious activity (e.g., a login from IP 192.168.1.1 on server "host.com") is detected by a Splunk Search that triggers an alert, initiating the risk scoring process in Alert Manager Enterprise (AME).
  2. Risk assessment: AME applies a risk change to the observable (e.g., adding 100 via predefined templates for the IP observable), increasing the asset’s risk score from its current value (e.g., 100 for "host.com") to 200 after the alert.
  3. Investigation and response: The analyst investigates the alert (e.g., analyzing logs to confirm it’s a false positive), with AME tracking the event status during this phase.
  4. Resolution: After resolving the incident, the analyst closes the event, leaving the risk score at its elevated level (e.g., 200).
  5. Lifecycle completion: AME logs the risk score journey (e.g., from 100 to 200) for auditing, marking the process as complete.

Risk Events

Risk Events are displayed under the "Risk Events"-Tab in the Event Summary

  • The Occurrance column shows the time, when the event has occured.
  • The Type columns shows the observable type. Either asset or identity
  • The Matched value column show the value which exists in the event and was found in the observable collection.
  • The Risk change column shows the change value for the risk.

Observable Details

More details about risk events can be found under the Observables tab.

See Observables for more information.

Storage Details

Risk scores are stored in tenant-specific locations for tracking and management:

  • Observable Collection: Holds the total risk scores for each observable (e.g., host.com’s score of 200).
  • Risk Event Collection: Stores individual risk events (score changes) in ame_<tenant>_risk_events (e.g., a +100 change logged for 192.168.1.1).
  • Tenant Index: Tracks changes to an observable’s risk separately, providing an additional layer of auditing.

Best Practices

  • Standardize Scoring: Use a consistent scale (e.g., 0–200) for uniform interpretation.
  • Monitor and Adjust: Regularly review Risk Events, tweaking risk changes for evolving threats, ensuring accurate Splunk alert triggers.
  • Align with Frameworks: Map to MITRE ATT&CK or CIS 20 to identify security gaps.

For more details, see Event Summary, Templates, Observables, Tenants, and Alert Action.