How to get started on RBA with ES
Shifting from a used case approach to a risk-based approach will require a mind shift on how some features are used. This install guide assumes you already have Enterprise Security and have been utilizing correlation searches and notable events. This also assumes you will do a slow cutover, running current correlations searches along with risk-based searches until you are confident in the new notable events.
Prepare Existing Instance for RBA
RBA heavily relies on the risk index. Most customers are not currently using this index, or if they are, they are not using the data in a meaningful way.
Run the following search over all time or view the Risk Analysis dashboard (https://YOURINSTANCE/en-US/app/SplunkEnterpriseSecuritySuite/risk_analysis) to see if Risk is really used.
Once it is determined the risk index is not useful in its current state you will need to stop all correlations from using the Risk Adaptive Response Action and clear the risk index. If this is a fresh install of Enterprise Security, you will still need to remove the Risk Adaptive Response Action from all correlations.
Cleaning Correlation Searches
Open each correlation search and remove the Risk Adaptive Response Actions. Do this on all correlations regardless if they are enabled or not to ensure if they are turned on in the future they do not start writing to the risk index.
Cleaning the Risk Index
The second step is clearing the risk index since RBA is going to change how the risk index is used including extending the Risk data model with additional fields.
On a standalone indexer you can use the splunk clean command: https://docs.splunk.com/Documentation/Splunk/8.0.1/Indexer/RemovedatafromSplunk#Remove_all_data_from_one_or_all_indexes
Alternatively, in a clustered environment you can set the
frozenTimePeriodInSecs to 1 for the risk index and apply the bundle effectively freezing all the data in the risk index.
After the bundle is pushed allow time for the bucket freeze process to run (usually very fast) and delete all the data. Ensure there is no data in the risk index by running an all-time search for:
frozenTimePeriodInSecs=1 stanza in indexes.conf and push the bundle again to allow the index to start retaining new events that are sent.
Review CIM Sources and Configuration
Like native Enterprise Security, RBA relies on data in the common information model (CIM). Use a tool like SA-cim_validator (https://splunkbase.splunk.com/app/2968/) to review all data models for valid field extractions and data sources.
Assets & Identities Framework
RBA relies on translating system objects back to the host name and user objects back to the username. Since Risk Incident Rules are run across multiple days a systems IP address may have changed so we need to do real time DHCP translations where possible when the Risk Rules are run.
ES Assets should include all hosts (dns, nt_host) and ip/mac of any static systems (usually servers and hardwired desktops). Priority should be set appropriately as it is used in the risk macros.
Asset and Identity categories play an important role in RBA. Filling these out with important groups or server classes will provide a lot of value when it comes time to start assigning dynamic risk based on object properties. This will provide more fine tuning than priority provides out of the box.
Now that Enterprise Security risk index is cleaned up, data sources are validated, and assets/identities are enriched, we are ready to configure base RBA knowledge objects (macros, risk incident rules, risk rules).
SA-RBA contains an updated schema for the Risk Analysis data model. In its current form this new schema is not being used because SA-ThreatIntelligence is still overriding it.
Contains all the RBA specific dashboards, macros, lookups and correlation searches.
Download from GitHub: https://github.com/apger/SA-RBA/
This app should be installed on the Enterprise Security search head only. Note: This app will override the default Risk data model with additional fields.
Semicircle Donut Chart Viz: https://splunkbase.splunk.com/app/4378/ (Used for dashboards, can be excluded if you want to customize dashboards to your needs)
URL Toolbox: https://splunkbase.splunk.com/app/2734/ (Used in some risk rules, highly recommended to install this on the Enterprise Security search head as well)
Add SA-RBA to Enterprise Security Navigation
From Enterprise Security navigate to Configure > General > Navigation
Create a new Collection with RBA attribution – System and RBA attribution – User as views
This provides the foundation building blocks to build Risk Based Alerting on top of. In future blog posts we will look at configuring Risk Rules, Risk Incident Rules, and configuring new enhanced data sources.