Skip to main content

Risk Scores

The following article exclusively pertains to a Security Data Lake Security feature or functionality. Security Data Lake Security is a part of the Security Data Lake centralized log management platform and requires a separate license. Contact the Security Data Lake Sales team for more information on this product.Graylog Security

Security Data Lake Security assigns risk scores to events based on the potential threat they represent to your system's security. Risk scores help you prioritize security events by quantifying and combining a variety of data points from the event definition and related assets.

This article describes the two types of risk scores in Security Data Lake:

In addition, Security Data Lake can raise event risk scores when it determines an event is part of a known threat campaign. When you enable this feature, event scores are raised for each event from the campaign, known as a detection chain, that Security Data Lake recognizes. See Amplify Risk Scores with Detection Chains for more information.

Event Risk Scores

Event risk scores are a numerical assessment that represents the level of risk an event represents for your environment. This allows you to prioritize events with high risk factors for action, such as performing additional research or initiating a security investigation.

It is important to understand how risk scores are calculated as well as the user settings that affect these scores. Security Data Lake event risk scoring is based on several factors, including log message severity, event priority, and asset priority. Not every factor is present for every event.

Event Risk Score Calculation

When a security event is created, Security Data Lake uses three primary elements to calculate the risk score for that event:

  • Log message severity: This value comes from the GIM schemaalert_severity_level field. The higher the value in the log message, the higher the value that will be used in the calculation. If the log message includes no alert_severity_level value, a low-severity value is used as the default. When an event is triggered based on an aggregation of multiple log messages, the average severity across all of those messages will be used in the calculation.

  • Event priority: Events can created by event definitions, Sigma rules, or anomaly detectors. Security Data Lake calculates the risk score for each type of event differently:

    • Event definitions: You set a priority value when you create an event definition. The risk-scoring algorithm assigns higher numeric values to higher priorities.

    • Sigma rules: Similar to event definitions, you can set a priority level as part of the Sigma rule definition. If not specified, the priority for a Sigma rule defaults to medium.

    • Anomaly detectors: The risk score calculation uses the anomaly_score value that is generated when an anomalous event is triggered. This value is based on the anomaly_grade and anomaly_confidence factors and is normalized to a value on the scale of 0-100. Refer to Anomaly Detection for more information.

  • Asset priority: If the event has an associated asset, the risk-scoring algorithm includes the asset priority value.

Ensure Effective Event Risk Scores

Make sure you assign your assets a priority value that reflects their risk level accurately. Values that the user sets form the basis for the calculation of risk scores. Factors such as event priorities and asset priorities directly impact the risk score calculation. Low priority event definitions will produce lower risk scores. If you create an event definition for "multiple failed logins that happen outside business hours" for example, it may be a mistake to assign a low priority. In fact, this kind of event calls for caution, and therefore the priority should be set to high. Assigning the wrong priority to your event definitions can lead to events being overlooked and risks not being addressed appropriately.

Additionally, ensure your logs are associated with related assets. An event risk score is not calculated unless there is an asset associated with the logs that triggered the event. You can associate your logs with assets by enabling the Assets pack in Illuminate or by using the set_associated_assets [PROBLEM LINK] pipeline function in your custom processing pipelines.

  1. Security event definition priority level: set or edited through the event definition wizard (Security Events > Definitions).

  2. Sigma rules event priority: set or edited as part of the Sigma rule definition code (Sigma Rules > Rules).

  3. Asset priority: set or edited on the Assets page for each type of asset.

  4. Log-asset association: enabled with the Illuminate Assets pack or by using the set_associated_assets pipeline function

    Note

    Watch your risk scores over time, including the results of any research or investigations that lead from these events. If your results don't match your expectations, consider revising the related priority settings.

View Event Risk Scores

Risk scores are displayed on the Security Events page in the Security interface. In the list view of events, a risk score is attached to each event. You can also sort this list by the risk score column so that events with the highest risk appear at the top.

SDL_security_events_1319464_en_1.png

Note

When you select an event to view more information, the risk score for that event is also shown in the detail pane.

Asset Risk Scores

Triggered events are classified as "open." When an open event that has associated assets is detected, an asset risk score is calculated and assigned to those assets. The asset risk score is calculated separately from the event risk score, and so it may be different.

The asset risk score calculation is based on:

  • The highest open event risk score.

  • Any vulnerabilities imported from a vulnerability scanner and attached to a machine asset.

Asset risk scores focus on the asset itself rather than focusing specifically on a single security event. The goal is to provide you with security information about a specific asset so that you do not need to spend time searching through numerous security events to find which asset is at risk. You can begin an investigation more efficiently if the asset that needs attention can be pinpointed via a high risk score. See Asset Risk Score Calculation for more information about how security events and vulnerabilities affect asset risk score calculation.

An asset can be a user or a machine. Machine assets can have vulnerability scan data attached to them, but user assets cannot. When an asset risk score is calculated, vulnerabilities are taken into account for the machine asset.

View Asset Risk Scores

Asset risk scores may be viewed in:

  • The Security Data Lake Security interface under the Assets tab.

  • The asset drawer that appears when you click on any asset on the Assets page.

Asset risk scores are color coded according to severity.

Asset Risk Score Calculation

Asset risk scores are calculated based on the highest open event risk score and any reported vulnerabilities. Because the event risk score is partially based on the event priority, user input has an important effect. The asset risk score reflects the degree of risk determined by the user when setting the event priority. See Ensure Effective Event Risk Scores for more information.

If events from multiple event definitions are associated with an asset, its risk score will be amplified to reflect the situation. When calculating the asset risk score, the event with the highest event risk score is used for the base calculation.

The asset risk score is calculated based on various factors including the alert_severity value taken from the source log data, asset priority, and asset vulnerabilities. The score is normalized to the range of 0-100, which makes it easier to interpret and compare risk scores.

An asset risk score gives you a snapshot of the current level of risk associated with an asset. Asset risk scores are calculated when events are detected and then recalculated when the events are closed. If there are no open events associated with an asset, the asset's risk score will be zero.

Note

If an asset is associated with a security event, then the asset risk score is recalculated when the event is fired and again when the event is closed. If an asset appears in a vulnerability scan but there are no associated security events, the asset risk score is not recalculated.

Ensure Effective Asset Risk Scores

Asset risk scores are based on vulnerabilities and event risk scores, which are affected by the event priority level set by a user.

If there are multiple open security events for an asset, the highest event risk score will be used when calculating the asset risk score. Therefore, the event risk score should be evaluated carefully.

Asset Risk Score Use Cases

These use cases demonstrate how the below factors affect the calculation of an asset risk score. Let's walk through a scenario for each category:

  • Asset priorities

  • Event risk scores

  • Vulnerabilities

Scenario 1

Trudy is a Tier 2 security operations center analyst at an IT company. A Tier 1 analyst has just triaged failed login attempts for two different assets. Trudy looks into the related assets. One is a company laptop and the other is the company database. Because the company database contains personally identifiable information (PII) related to all company employees, it has a high asset risk score. The laptop carries a low asset risk score. Trudy decides to start her investigation by initially focusing on the company database.

Scenario 2

Trudy notices two events with varying event risk scores. The first event involves "two failed logins to the system in under one minute." In the second event there have been "20 failed logins to the system in under one minute." Trudy deduces that the first event was most likely caused by user error, such as a user mistyping their credentials. She checks the event definitions to see that one has a low priority while the other has a high priority, but she does not assign the priorities after events have happened. In each case, the event risk score is reflected in the asset risk score.

Scenario 3

Trudy receives notifications about a possible attack targeting multiple company laptops. One of the laptops has a higher asset risk score. She sees that this laptop has vulnerabilities and has not been updated recently. Trudy focuses her attention on this vulnerable laptop.

Understand Different Scores

In some cases, the event risk score and asset risk score can be the same. When an asset risk score is not the same as an event risk score, these factors are in play:

  • Multiple associated events (e.g. an asset targeted by multiple attack tactics)

  • Vulnerabilities (e.g. machines that are not patched or updated, or other issues)

For example, a laptop that has been targeted multiple times and also has vulnerabilities has a higher asset risk score than its event risk score.

Amplify Risk Scores with Detection Chains

The following article exclusively pertains to a Security Data Lake Security feature or functionality. Security Data Lake Security is a part of the Security Data Lake centralized log management platform and requires a separate license. Contact the Security Data Lake Sales team for more information on this product.Graylog Security

Security Data Lake can amplify risk scores when it detects events that are part of known attacks or threat campaigns. These campaigns are tracked through linked events, called detection chains.

Consider that a single event might not seem significant by itself, especially if an event has a low risk score initially. However, when Security Data Lake detects an event that is part of a detection chain, it can raise the risk score. Then, with each additional event in the chain that is detected, the score continues to amplify, raising its associated threat potential and indicating that it is a high priority for mitigation.

This article explains how detection chains work in Security Data Lake, how to enable this feature in your environment, and how you can keep track of these threats in the web interface.

Track Detection Chains

Security Data Lake tracks detection chains through Sigma rules, which are provided in the prerequisite Illuminate content pack. After you enable the content pack, you have access to all the Sigma rules it contains. Each Sigma rule looks for a specific event. Each event is one step in a detection chain.

However, keep in mind that a detection chain represents an attack that consists of multiple events. To fully track a detection chain that occurs in your environment, you must enable each relevant Sigma rule for the chain. As additional security events in the chain are triggered, they receive higher risk scores. You can set notifications for each security event so that you receive prompt notice when a possible threat is active.

Enable Detection Chains

To enable risk score amplification with detection chains, you must first ensure the Illuminate content pack is enabled, then you must review and enable the Sigma rules for the detection chains you want Security Data Lake to detect.

To enable the Illuminate content pack:

  1. Navigate to Enterprise > Illuminate in the General layout.

  2. Locate Illuminate Windows Detection Chains - Sigma Rules content pack. You can search for Windows Detection Chains to filter the list to find this content pack.

  3. Select the content pack check box, then click Install Packs.

  4. Click Confirm in the pop-up dialog box.

Security Data Lake installs and enables the content pack. When installation is complete, you are returned to the Illuminate Content Hub view.

To enable Sigma rules:

  1. Navigate to Security > Sigma Rules in the General layout, or select Sigma Rules from the top menu in the Security layout.

  2. Search for Detection Chain to filter the list to the content packs provided by the Illuminate Windows Detection Chains - Sigma Rules content pack. These Sigma rules all include Detection Chain in their title.

  3. Review the list and enable rules you want to detect in your environment. When you review individual Sigma rules from the content pack, you can apply search filters as well as edit notifications. The other fields are not available to edit.

When you enable a Sigma rule, a corresponding security event is automatically created and enabled by default. See Sigma Rules for more information.

View Active Detection Chains

A detection chain is considered active if any of the Sigma rules in the chain are detected. When additional rules from the detection chain are triggered within a one-week period, the risk score is raised.

When a detection chain is active, you have several indications in the Security Data Lake interface:

  • The risk score for related events goes up. If multiple events in a detection chain have been triggered, the risk score should rise above 75 and be shown in red on the Alerts list. Remember that you can sort this table by risk score to show highest-risk alerts first.

  • On the Alerts list, a Detection Chain label appears next to the risk score for any event related to a detection chain.

  • On the alert detail page, the active detection chain is shown at the top. Click the detection chain name to see the list of events from the chain. Any rules that have been triggered are highlighted, while those yet to be detected are grayed out.

    DetectionChainFound.png

    Note

    Use this view to ensure that all relevant Sigma rules are enabled. If you have a triggered event from a detection chain, make sure that you have enabled all other listed rules in that chain to receive best coverage and accurate risk scores.

In this section: