Try in Splunk Security Cloud


This search correlations detections by user and risk_score

  • Type: Correlation
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, Dev Sec Ops Analytics
  • Datamodel:
  • Last Updated: 2021-09-06
  • Author: Patrick Bareiss, Splunk
  • ID: 610e12dc-b6fa-4541-825e-4a0b3b6f6773


ID Technique Tactic
T1204.003 Malicious Image Execution
T1204 User Execution Execution
| fillnull 
| stats sum(risk_score) as risk_score values(source) as signals values(repository) as repository by user 
| sort - risk_score 
| where risk_score > 80 
| `correlation_by_user_and_risk_filter`

Associated Analytic Story

How To Implement

For Dev Sec Ops POC

Required field

  • _time

Kill Chain Phase

  • Actions on Objectives

Known False Positives



Risk Score Impact Confidence Message
70.0 70 100 Correlation triggered for user $user$


Test Dataset

Replay any dataset to Splunk Enterprise by using our tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1