Skip to content

Home

Jump to bottom
Christoph Dittmann edited this page Jul 15, 2015 · 7 revisions

#Welcome Welcome to the Risk Manager wiki. There are a few important sub-pages we'd like to highlight:

  1. Installation Guide
  2. Configuration Guide
  3. User Guide
  4. Demo Data Configuration Guide
  5. FAQ

Introducing the «Risk Manager»

The Risk Manager adds risk scoring and risk analytics functionality to Splunk. The app can be used to assign risk scores to risk objects, and track accumulated risk score over time. Risk Manager is a general purpose app, that can be used for security use cases (e.g. user behavior over time), but also for IT Ops use cases to e.g. track asset risks over time.

Risk Manager brings:

  • Awareness of your current risk situation with a risk overview dashboard
  • A risk analysis dashboard to per risk object scoring and risk events over time
  • A risk search dashboard to investigate on risk events and drilldown into details
  • A risk data model that provides the basis for pivoting
  • Collection of contributing data, that caused the risk scoring
  • Optional hashing and encryption of data, for privacy/compliance reasons

#Features

  • Works as scripted alert action to find risk object and assign risk score to them
  • Each fired alert creates risk events for pre-configured objects
  • The risk objects get a a score that has been pre-configured.
  • Risk scores are accumulated to risk object
  • Data that is contributing to/(causing) risk events can be store into a KV Store collection for later analysis
  • Contributing data can optionally be encrypted with asymmetric encryption algorithms (public-key encryption). This needs the optional "Support Add-on for Hypercrypto" https://github.com/my2ndhead/SA-hypercrypto

#Limitations and Known Issues

  • See issue for a complete list
  • risk_search dashboard: Detail drilldown for encrypted data should be disabled for non-encrypted data.

#Roadmap

  • Better integration of SA-hypercrypto

#License

  • This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. [1]
  • Commercial Use, Excerpt from CC BY-NC-SA 4.0:
    • "A commercial use is one primarily intended for commercial advantage or monetary compensation."
  • In case of Support Add-on for Hyperbaseline this translates to:
    • You may use Support Add-on for Hyperbaseline in commercial environments for handling in-house Splunk alerts
    • You may use Support Add-on for Hyperbaseline as part of your consulting or integration work, if you're considered to be working on behalf of your customer. The customer will be the licensee of Support Add-on for Hyperbaseline and must comply according to the license terms
    • You are not allowed to sell Support Add-on for Hyperbaseline as a standalone product or within an application bundle
    • If you want to use Support Add-on for Hyperbaseline outside of these license terms, please contact us and we will find a solution

#Who are we? Mika Borner ([email protected]), Senior IT Consultant and Splunk Enthusiast since 2006 Simon Balz ([email protected]), Senior IT Consultant and Splunk Enthusiast since 2007 Christoph Dittmann ([email protected]) Harun Küssner ([email protected])

Clone this wiki locally