Correlation by Repository and Risk
Description
This search correlations detections by repository and risk_score
- Type: Correlation
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2021-09-06
- Author: Patrick Bareiss, Splunk
- ID: 8da9fdd9-6a1b-4ae0-8a34-8c25e6be9687
Annotations
Kill Chain Phase
- Actions on Objectives
NIST
- PR.DS
- PR.AC
- DE.CM
CIS20
- CIS 13
CVE
Search
1
2
3
4
5
6
`signals`
| fillnull
| stats sum(risk_score) as risk_score values(source) as signals values(user) as user by repository
| sort - risk_score
| where risk_score > 80
| `correlation_by_repository_and_risk_filter`
Macros
The SPL above uses the following Macros:
Note that correlation_by_repository_and_risk_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required field
- _time
How To Implement
For Dev Sec Ops POC
Known False Positives
unknown
Associated Analytic story
RBA
| Risk Score | Impact | Confidence | Message |
|---|---|---|---|
| 70.0 | 70 | 100 | Correlation triggered for user $user$ |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1