There were 100s of use cases that were to be mapped to cloud data centrally logged into Splunk Enterprise, many of which were known to create a significant number of alerts based on how their cloud environment was currently being managed.

One approach would be to either tune these use cases and filter out many of the repeated actions conducted in the environment, however this will ultimately lead to blind spots in the monitoring programme and so it was deemed further correlation was required, where these individual events would be linked together to form higher fidelity alerts. A Risk Based Approach was taken in order to achieve the end goal and so we set about constructing a framework to deliver this Risk Based Approach.

As this client did not have the latest version of Splunk ES we developed it by leveraging the underlying feature sets of Splunk and Splunk Enterprise Security. To achieve this we built macros to align the MITRE ATT&CK details and corresponding impacts and confidence levels of each of the use cases in scope. These macros contained the calculations for the risk scores by leveraging lookups that contain the base score, confidence levels and risk modifiers.

These use cases are to be known as Risk Rules with Risk Indicator Rules used to trigger on certain thresholds of MITRE Tactics/Techniques and quantity of risk associated with assets or identities.

In addition to the underlying risk rules and risk indicator rules, corresponding dashboards were derived to assist in triage and response to the Risk Indicator Rules. These leveraged the great work by Jim Apger at Splunk and the SA-RBA application that can be found on GitHub, prior to the code moving into Splunk ES 6.4.

Tuning was then conducted to attribute the appropriate thresholds and risk scores for the environment, allowing for a refined alerting mechanism and training was given to the team giving them the knowledge to expand and tune the risk approach in the future.