Notable events and incident workflow
The Splunk App for Enterprise Security uses the concept of notable events to reveal security posture and support and incidence response workflow. The Security Posture and Incident Review dashboards are used to display and interact with notable events.
These dashboards aggregate significant security events across the environment. To reduce the amount of effort required to search through your security events for incidents, the Splunk App for Enterprise Security uses special Splunk searches called correlation searches to detect patterns in your data and identify security issues that require investigation. If a suspicious pattern is detected, Enterprise Security creates a special event called a "notable event", and places it on the Incident Review dashboard.
Attributes of correlation searches can be tuned, such as alerting behavior or the threshold - individual events that will trigger a notable event. Have your Enterprise Security administrator refer to "Configure Correlation Searches" in the Splunk App for Enterprise Security Installation and Configuration Manual for more information.
Custom correlation searches can use the Splunk search language; for more information, see Get started with Search" in the core Splunk product documentation.
Correlation searches
Correlation searches are real-time and scheduled saved searches that look for behaviors or patterns in the data that may warrant a security review. Each correlation search looks for a specific pattern and number of events, for example:
- A single event, such as an access attempt from an expired account.
- Multiple similar events, such as a high number of hosts with a specific infection or a single host with a high number of infections.
- Events that together indicate a known attack or problem, such as a high number of authentication failures on a single host followed by a successful authentication.
Note: The threshold can be set - the number of individual events that must occur before the correlation search is triggered - on many of the correlation searches. See the Splunk App for Enterprise Security Installation and Configuration Manual for more information.
Create custom correlation searches using the Splunk search language. See Get started with Search" in the core Splunk product documentation and "Configure Correlation Searches" in this manual for more information.
Notable events
When a correlation search detects suspicious behavior, it creates a "notable event" -- a single event that aggregates the information in the individual events that triggered the notable event. Notable events are stored in a special index, separate from the events in the environment.
Notable events are managed on the Incident Review dashboard, which allows security analysts to review and track notable events. Here notable events can be filtered, assigned a review status, assigned to a specific security analyst, and notes can be entered about the incident. See "Incident Review dashboard" in this manual for more information.
Default dashboards | Dashboard overview |
This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1
Feedback submitted, thanks!