Splunk® Enterprise Security

Use Splunk Enterprise Security

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Notable events and incident workflow

The Splunk App for Enterprise Security uses the concept of notable events to reveal security posture and support and incidence response workflow. The Security Posture and Incident Review dashboards are used to display and interact with notable events.

These dashboards aggregate significant security events across the environment. To reduce the amount of effort required to search through your security events for incidents, the Splunk App for Enterprise Security uses special Splunk searches called correlation searches to detect patterns in your data and identify security issues that require investigation. If a suspicious pattern is detected, Enterprise Security creates a special event called a "notable event", and places it on the Incident Review dashboard.

Attributes of correlation searches can be tuned, such as alerting behavior or the threshold - individual events that will trigger a notable event. Have your Enterprise Security administrator refer to "Configure Correlation Searches" in the Splunk App for Enterprise Security Installation and Configuration Manual for more information.

Custom correlation searches can use the Splunk search language; for more information, see Get started with Search" in the core Splunk product documentation.

Correlation searches

Correlation searches are real-time and scheduled saved searches that look for behaviors or patterns in the data that may warrant a security review. Each correlation search looks for a specific pattern and number of events, for example:

  • A single event, such as an access attempt from an expired account.
  • Multiple similar events, such as a high number of hosts with a specific infection or a single host with a high number of infections.
  • Events that together indicate a known attack or problem, such as a high number of authentication failures on a single host followed by a successful authentication.

Note: The threshold can be set - the number of individual events that must occur before the correlation search is triggered - on many of the correlation searches. See the Splunk App for Enterprise Security Installation and Configuration Manual for more information.

Create custom correlation searches using the Splunk search language. See Get started with Search" in the core Splunk product documentation and "Configure Correlation Searches" in this manual for more information.

Notable events

When a correlation search detects suspicious behavior, it creates a "notable event" -- a single event that aggregates the information in the individual events that triggered the notable event. Notable events are stored in a special index, separate from the events in the environment.

Notable events are managed on the Incident Review dashboard, which allows security analysts to review and track notable events. Here notable events can be filtered, assigned a review status, assigned to a specific security analyst, and notes can be entered about the incident. See "Incident Review dashboard" in this manual for more information.

Last modified on 08 December, 2015
PREVIOUS
Default dashboards
  NEXT
Dashboard overview

This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters