Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Review risk notables to identify risk in Splunk Enterprise Security

Evaluate the risk associated with risk notables using the following methods:

Use the drill down search to review risk notables

Follow these steps to correlate and aggregate the risk associated with assets and identities in Splunk Enterprise Security:

  1. In Splunk Enterprise Security, select Content > Content Management to open the risk incident rule in the correlation search editor.
  2. Go to Adaptive Response Actions > Notable.
  3. Using the Drill-down Search identify the following:
    • All relevant risk events applied to the risk object including risk message, src, dest, user, and risk factors
    • MITRE ATT&CK annotations
    • Related risk objects associated with the risk events

    Following is an example of a drill down search that you can use to identify risk events, MITRE ATT&CK annotations, risk objects, and so on:

    | from datamodel:"Risk.All_Risk" | search risk_object="$risk_object$" | table _time, risk_object, risk_object_type, source, annotations.mitre_attack.mitre_tactic_id, annotations.mitre_attack.mitre_technique_id, dest, src, user, risk_message, calculated_risk_score, risk_factor* | rename annotations.mitre_attack.mitre_tactic_id as mitre_tactic_id, annotations.mitre_attack.mitre_technique_id as mitre_technique_id | eval risk_event_type="primary_object" | append [| from datamodel:"Risk.All_Risk" | search risk_object!=" $risk_object$" (dest="$risk_object$" OR src="$risk_object$" OR user="$risk_object$") | table _time, risk_object, risk_object_type, source, annotations.mitre_attack.mitre_tactic_id, annotations.mitre_attack.mitre_technique_id, dest, src, user, risk_message, calculated_risk_score, risk_factor* | rename annotations.mitre_attack.mitre_tactic_id as mitre_tactic_id, annotations.mitre_attack.mitre_technique_id as mitre_technique_id | eval risk_event_type="related_object" ]

    These drill down searches help to investigate the risk object associated with a risk notable within the Incident Review page.

Review risk notables from the same risk object

Follow these steps to surface high risk notables that come from the same risk object so that you can investigate connected behaviors and threats:

  1. Configure the risk_object_type field correctly so that Splunk Enterprise Security can normalize the assets and identities and group their risk events accurately.
    • Ensure that the risk_object_type field of the risk event is a system so that Splunk Enterprise Security associates the risk object of a user's risk event with an asset.
    • Ensure that the risk_object_type field of the risk event is a user so that Splunk Enterprise Security associates the risk object of a user's risk event with an identity.
  2. Navigate to the Search page and search for index = notable to view the normalized risk object associated with a risk notable.
  3. Navigate to the Incident Review page and expand the risk notable to view the most frequent risk objects from all the contributing risk events grouped together.

For more information on reviewing risk notables originating from the same risk object, see Risk notables from the same risk object.

Review risk notables enriched by entity zones

Follow these steps to surface high risk notables based on entity zones so that you can investigate threats effectively based on the additional context provided by the entity zones:

  1. In the Incident Review page, expand the risk notable to view the entity zone associated with a risk notable.
  2. Evaluate the risk associated with the risk notable if they pertain to the same entity zone.

When you upgrade to Splunk Enterprise Security version 7.1.0, contributing risk events for risk notables might not be visible in the Risk Event Timeline if the risk notables are created before the upgrade and any one of the following conditions are met:

  • Entity zones are enabled
  • Changes are made to the entity zones that apply to existing risk notables
  • Asset and identity framework is disabled

Additionally, if you make changes to the entity zones or the assets and identity framework, you might cause a change to the risk object normalization, which might result in contributing risk events not being visible in the Risk Event Timeline visualization. This pertains to risk notables that were created prior to making the changes to the entity zones and assets and identity framework.

For more information on entity zones, see Enable entity zones for assets and identities in Splunk Enterprise Security

View the MITRE ATT&CK posture for a risk notable

View the MITRE ATT&CK posture within the context of a risk notable so that you can reduce the mean time to detection (MTTD) and mean time to repair (MTTR) and enhance the situational awareness in your security operations center (SOC).

Follow these steps to view the MITRE ATT&CK posture for a risk notable in context:

  1. On the Splunk Enterprise Security Search app, select Incident Review.
  2. Expand a risk notable form the list of risk notables.
  3. Scroll to MITRE ATT&CK Posture for this Notable to see the highlighted MITRE tactics and techniques that were detected for the risk object.

    The MITRE matrix chart displays all the tactics and techniques for every risk event associated with the risk object for that risk notable.

    You can also scroll to Additional Fields to see the list of MITRE ATT&CK tactics and techniques for the risk notable.

See also

For more information about risk notables and entity zones, see the product documentation.

Risk notables enriched by entity zones
Enable entity zones for assets and identities in Splunk Enterprise Security
After upgrading to Splunk Enterprise Security version 7.1.0

Last modified on 05 February, 2024
PREVIOUS
Risk notables in Splunk Enterprise Security
  NEXT
How risk annotations provide additional context in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters