Example Risk Searches

#Simple Risk Search

A simple risk search for scoring users, can be as easy as:

Line 1: index=_audit sourcetype=audittrail user=*

Line 1: Search for risk events

Line 2: | table _time, user_hash, user, action _raw

Line 2: If collecting contributing data, it is recommended to select the columns to be stored.

#Hashed and Encrypted Risk Search

For sensitive data, Risk Manager allows the hashing and encryption of data. risk_objects values should typically be hashed and not encrypted. The hash algorithm will always return the same hash values for the same risk_object. This is needed for Risk Manager to assign the score to the correct risk object.

Line 1: index=_audit sourcetype=audittrail user=*

Line 1: Search for risk events

Line 2: | eval user_hash=user

Line 2: Make a copy of the risk object field for hashing

Line 3: | hash algorithm=sha256 user_hash

Line 3: Hash the user_hash field

Line 4: | crypt mode=e key=/opt/splunk/etc/apps/SA-hypercrypto/lib/public.pem user _raw

Line 4: Encrypt fields that contain sensitive information

Line 5: | eval decrypt_command="crypt mode=d key=/opt/splunk/etc/apps/SA-hypercrypto/lib/private.pem user _raw"

Line 5: For drilldowns in the risk search dashboard, information is needed, how to decrypt the content. The decrypt command is written into the field "decrypt_command"

Line 6: | table _time, user_hash, user, _raw, decrypt_command

Line 6: Select columns to collect. Do not forget the decrypt command