Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

How the Risk Timeline visualization works in Splunk Enterprise Security

Use the Risk Timeline, a popup visualization, to drill down and analyze the correlation of the risk events with their associated risk score. You can also analyze the risk events associated with a risk notable by expanding the risk notable and reviewing specific fields.

The Risk Timeline visualization uses color codes on the icons to indicate the severity of the risk scores. The color coding of risk score icons is consistent across the Contributing Risk Events table and the Risk Timeline visualization of the risk events. A lighter color icon corresponds to a lower risk score.

You might not be able to use the Risk Timeline unless all required fields are present within the risk notable.

You can view a maximum of 100 risk events on the Contributing Risk Events table and the Risk Timeline visualization. If you have more than 100 risk events, the event count displays as 100+ on the header and includes a link to the search page that displays the complete list of risk events. If the number of risk events is less than 100, the event count displays as is.

The risk score in the Contributing Risk Events table and the Risk Timeline visualization is the calculated risk score of all events.

How the Risk Timeline gets populated

The Risk Timeline gets populated based on the drilldown search associated with the risk incident rule for the risk notable.

Following is an example that demonstrates how the Risk Timeline visualization gets populated.

Say, you have the following events in the Risk data model:

Risk object Risk object type Risk score
foo user 30
bar user 50
foo user 30

The underlying notable search must contain the following required fields:

  • risk_object
  • risk_object_type
  • risk_score
  • risk_event_count
  • drilldown_earliest
  • drilldown_latest
  • drilldown_search

Following is an example of the search for the risk notables with associated results:

| tstats `summariesonly` sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count from datamodel=Risk.All_Risk by All_Risk.risk_object, All_Risk.risk_object_type

The results look something like this:

Risk object Risk object type Risk score Risk event count
foo user 60 2
bar user 50 1

Though search results add the drilldown fields automatically, you must enter a drilldown search when you configure the risk notable on the Correlation Search editor. Additionally, the notable drilldown search must contain the calculated_risk_score field from the Risk data model.

Following is an example of the drilldown_search:

| from datamodel:"Risk.All_Risk" | search risk_object="$risk_object$" risk_object_type="$risk_object_type$"

As shown in this example, the calculated_risk_score already exists in the Risk data model and gets calculated automatically.

See also

For more information about risk notables and the visualizations available for RBA in Splunk Enterprise Security, see the product documentation.

Create risk notables in Splunk Enterprise Security

Analyze risk events using the Risk Timeline in Splunk Enterprise Security.

Analyze risk notables using Threat Topology in Splunk Enterprise Security

Fields in a risk notable.

Last modified on 20 November, 2023
Default risk factors in Splunk Enterprise Security   Analyze risk events using the Risk Timeline in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters