Splunk® Enterprise Security

Use Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Overview of Incident Review in

The Incident Review dashboard displays notable events and their current status. You can also filter notable events based on specific fields and accelerate the triage of notable events through an investigation workflow.

A notable event represents one or more anomalous incidents detected by a correlation search across data sources. For example, a notable event can represent:

  • The repeated occurrence of an abnormal spike in network usage over a period of time
  • A single occurrence of unauthorized access to a system
  • A host communicating with a server on a known threat list

As an analyst, you can use the dashboard to gain insight into the severity of events occurring in your system or network. You can use the dashboard to triage new notable events, assign events to analysts for review, and examine notable event details for investigative leads.

As an administrator, you can manage and customize Incident Review and notable event settings. See Managing Incident Review in Splunk Enterprise Security for more information about administrator activities.

The option to run a real time search is no longer available on the Incident Review page from release 6.6.2 or higher.

Onboarding guidance to improve analyst workflow on Incident Review page

Splunk Enterprise Security offers onboarding guidance to explore some of the features on the Incident Review page to improve analyst workflows. These features include:

To access the onboarding guidance, select Incident Review tab on the Splunk Enterprise Security app.

Visualizations and charts on the Incident Review page

Use the pie charts and the timeline visualization to gain a greater insight into the notables. To display the charts on the Incident Review page, select Show Charts.

The four pie charts displays the notables by the following criteria:

  • Notables by Urgency: Classifies all notables based on the importance of the notable event such as Critical, High, Low, Medium, Informational, or Unknown.
  • Notables by Status: Classifies all notables based on the status of the notable such as New, In progress, Pending, Resolved, or Closed.
  • Notables by owner: Classifies all notables based on owners such as Unassigned, Administrator, or by specific names.
  • Notables by Domain: Classifies all notables based on the security domain from which the notable is generated such as Access, Audit, Endpoint, Identity, Network, or Threat.

Use the timeline visualization to identify the specific time during which the notables were generated. To display the timeline on the Incident Review page, select Show Timeline. You can zoom in, zoom out, select, or deselect to focus on specific periods of time and view related events that might be of interest for more targeted threat investigations. For more information on the risk event timeline visualization, see Analyze risk events using the Risk Timeline in Splunk Enterprise Security.

How identifies notable events

detects patterns in your data and automatically reviews events for security-relevant incidents using correlation searches. When a correlation search detects a suspicious pattern, the correlation search creates a new notable event.

The Incident Review dashboard surfaces all notable events, and categorizes them by potential severity so you can quickly triage, assign, and track issues.

Incident review workflow

You can use this example workflow to triage and work notable events on the Incident Review dashboard.

  1. An administrative analyst monitors the Incident Review dashboard, sorting and performing high-level triage on newly-created notable events.
  2. When a notable event warrants investigation, the administrative analyst assigns the event to a reviewing analyst to start investigating the incident.
  3. The reviewing analyst updates the status of the event from New to In Progress, and begins investigating the cause of the notable event.
  4. The reviewing analyst researches and collects information on the event using the fields and field actions in the notable event. The analyst records the details of their research in the Comments field of the notable event. As part of the research, the analyst might run adaptive response actions. If the research proves that the notable event needs more lengthy investigation, the analyst can assign the notable event to an investigation.
  5. After the reviewing analyst addresses the cause of the notable event and any remediation tasks have been escalated or solved, the analyst sets the notable event status to Resolved.
  6. The analyst assigns the notable event to a final analyst for verification.
  7. The final analyst reviews and validates the changes made to resolve the issue, and sets the status to Closed.

Investigate a risk notable based on known security frameworks

Identify the specific tactics and techniques of known security frameworks such as MITRE ATT&CK, KillChain that maps to a risk notable. Mapping these security frameworks to risk notables helps to classify attacks, understand adversary behavior, and assess an organization's risk. You can also use these mappings to gain insight into how adversaries might operate in various scenarios and create informed strategies on how to detect and ultimately prevent those behaviors from affecting the security of your organization.

Follow these steps to drilldown on the specific tactics and techniques that map to a risk notable:

  1. From the Splunk Enterprise Security menu bar, select Incident Review.
  2. From the list of notables, expand the specific risk notable of interest to display the security posture based on MITRE or other security framework.

The visualization highlights the specific tactics and techniques that are currently detected in the risk notable.

You can also use the Workbench-Risk (risk_object) as Asset workflow action panels or the Risk tab in Workbench to visually classify the risk objects based on MITRE ATT&CK techniques, and tactics. For more information on identifying annotations based risk objects in Splunk Enterprise Security, see Identify annotations based risk objects in Splunk Enterprise Security.

Change the UI theme of Splunk Enterprise Security

When using Splunk Enterprise Security version 7.0.2 or higher and Splunk Cloud Platform version 9.0.2208 or higher, you can switch UI themes using the Splunk Enterprise search app.

Follow these steps to select the UI theme using the Splunk Enterprise search app:

  1. In the Splunk Enterprise Search app, navigate to Administrator > Preferences.
  2. Scroll to Theme and select from the following options to set a theme for your ES app:
    • Default System Theme
    • Light
    • Dark

    The default setting for the UI theme in Splunk Enterprise Security is the dark theme.

For more information on selecting the UI theme in the Splunk search app, see Change the UI theme of Splunk Cloud Platform.

If you are using the on-prem version of the Splunk Enterprise Security app, you also have the option to switch the UI theme using the following steps:

  1. In the Splunk Enterprise Security app, navigate to Configure > General > General Settings.
  2. Scroll to ES Theme and select a theme for your ES app.

Currently, not all apps used with Splunk Enterprise support the dark theme. If the dark theme is not supported, the default theme, "Enterprise", is applied.

When you load the Common Information Model (CIM) app within the ES context using Configure > CIM Setup, the mode displayed for CIM is the same as set for Enterprise Security. However, when you load the CIM app independently of Splunk Enterprise Security, Enterprise mode is displayed by default.

Users such as ess_analyst or ess_user cannot switch between dark or Enterprise modes. However, as an administrator, you might grant access to other users and override the dark mode upon request by making edits to the user-prefs.conf configuration file.
To enable specific users to access the Enterprise mode, add theme = enterprise in the [general] stanza of the user-prefs.conf configuration file located at ./etc/users/<userid>/user-prefs/local/user-prefs.conf.
To enable all other users to access the Enterprise mode at a system level, add theme = enterprise in the [general] stanza of the user-prefs.conf configuration file located at ./etc/apps/user-prefs/local/user-prefs.conf.

Last modified on 06 February, 2024
Use federated searches in transparent mode with Splunk Enterprise Security   Triage notables on Incident Review in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters