How the Risk Timeline visualization works in Splunk Enterprise Security
Use the Risk Timeline, a popup visualization, to drill down and analyze the correlation of the risk events with their associated risk score. You can also analyze the risk events associated with a risk notable by expanding the risk notable and reviewing specific fields.
The Risk Timeline visualization uses color codes on the icons to indicate the severity of the risk scores. The color coding of risk score icons is consistent across the Contributing Risk Events table and the Risk Timeline visualization of the risk events. A lighter color icon corresponds to a lower risk score.
You might not be able to use the Risk Timeline unless all required fields are present within the risk notable.
You can view a maximum of 100 risk events on the Contributing Risk Events table and the Risk Timeline visualization. If you have more than 100 risk events, the event count displays as 100+ on the header and includes a link to the search page that displays the complete list of risk events. If the number of risk events is less than 100, the event count displays as is.
The risk score in the Contributing Risk Events table and the Risk Timeline visualization is the calculated risk score of all events.
How the Risk Timeline gets populated
The Risk Timeline gets populated based on the drilldown search associated with the risk incident rule for the risk notable.
Following is an example that demonstrates how the Risk Timeline visualization gets populated.
Say, you have the following events in the Risk data model:
| Risk object | Risk object type | Risk score |
|---|---|---|
| foo | user | 30 |
| bar | user | 50 |
| foo | user | 30 |
The underlying notable search must contain the following required fields:
risk_objectrisk_object_typerisk_scorerisk_event_countdrilldown_earliestdrilldown_latestdrilldown_search
Following is an example of the search for the risk notables with associated results:
| tstats `summariesonly` sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count from datamodel=Risk.All_Risk by All_Risk.risk_object, All_Risk.risk_object_type
The results look something like this:
| Risk object | Risk object type | Risk score | Risk event count |
|---|---|---|---|
| foo | user | 60 | 2 |
| bar | user | 50 | 1 |
Though search results add the drilldown fields automatically, you must enter a drilldown search when you configure the risk notable on the Correlation Search editor. Additionally, the notable drilldown search must contain the calculated_risk_score field from the Risk data model.
Following is an example of the drilldown_search:
| from datamodel:"Risk.All_Risk" | search risk_object="$risk_object$" risk_object_type="$risk_object_type$"
As shown in this example, the calculated_risk_score already exists in the Risk data model and gets calculated automatically.
See also
For more information about risk notables and the visualizations available for RBA in Splunk Enterprise Security, see the product documentation.
Create risk notables in Splunk Enterprise Security
Analyze risk events using the Risk Timeline in Splunk Enterprise Security.
Analyze risk notables using Threat Topology in Splunk Enterprise Security
| Default risk factors in Splunk Enterprise Security | Analyze risk events using the Risk Timeline in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0
Download manual
Feedback submitted, thanks!