Splunk® Enterprise Security

Use Cases

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Classify risk objects based on annotations

Ram views the annotations associated with the risk objects by accessing the Embedded Risk Workbench panels in Splunk Enterprise Security and classifies the risk objects for more targeted threat investigation. Risk workbench panels provide at-a-glance risk-based insight into the severity of the events occurring in Ram's system or network, help to prioritize notable events, assign targeted notable events to security analysts for review, and examine specific notable annotations for investigations.

By visually classifying the risk objects based on risk modifiers, risk scores, MITRE ATT&CK techniques, and tactics, Ram can identify specific adaptive response actions and streamline his threat investigation process.

  1. From the Enterprise Security menu, Ram selects Incident Review to display the Incident Review page and see a list of notable events for the security domains.
  2. Ram expands a notable event by clicking on Action next to the Risk Object, Destination, User, or Source fields.
  3. Ram selects the Workbench-Risk (risk_object) as Asset action.
    This opens the Embedded Workbench panel that displays the following items:
  • Recent risk modifiers that are applied to the risk object.
  • Risk scores by artifact and trends of risk modifiers over time.
  • Pie chart displaying the distribution of artifacts by MITRE ATT&CK techniques like Driven by Compromise, Account Manipulation, and so on.
  • Pie chart displaying the distribution of artifacts by MITRE ATT&CK tactics like discovery, persistence, defense evasion, and so on.
  • Time chart displaying the MITRE ATT&CK Techniques Over Time.
  • Time chart displaying the MITRE ATT&CK Tactics Over Time.

Using the visuals and charts Ram now investigates the risk objects for a single artifact in the Embedded Workbench. EmbeddedWorkbench

Last modified on 19 January, 2022
 

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.2.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters