Entity risk scoring in Splunk Enterprise Security

The Entity Risk Score (ERS) is an enhanced version of the original risk score in Splunk Enterprise Security. It measures the overall risk level of an entity, such as a user or asset, based on findings associated with that entity. It's calculated over the past 7 days and normalized to a range of 0 to 100. The ERS uses a scheduled search called Risk - EWA Entity Risk Score Calculation to calculate risk scores for all entities that have at least one intermediate finding from the past 7 days. The search runs every 20 minutes by default.

Entity Risk Score (ERS) does not support Common Information Model (CIM) entity zones. Entity risk scores are not calculated when CIM entity zones are enabled. For more information on CIM entity zones, see Turn on entity zones for assets and identities in Splunk Enterprise Security.

CAUTION: Do not change or update the Risk - EWA Entity Risk Score Calculation saved search.

The new ERS is a weighted average of the following components for findings in the Risk Index:

  • The sum of all calculated_risk_score values across intermediate findings

  • The maximum calculated_risk_score observed on any intermediate finding

  • The number of intermediate findings with a calculated_risk_score ≥ 50

  • The total count of intermediate findings

  • The sum of risk across different detections, utilizing the highest risk score from each detection.

Note: UEBA uses data from the Splunk Enterprise Security Risk Data Model. For best results, configure your correlation searches to include MITRE ATT&CK annotations, which improve detection accuracy and risk scoring.