Incident Review dashboard
The Incident Review dashboard displays notable events and their current status. As an analyst, you will use the dashboard to gain insight into the severity of events occurring within your system or network. You will use the dashboard views to triage new notable events, assign events to analysts for review, and examine notable event details for investigative leads.
To reduce the amount of effort required to search through your security events for incidents, the Splunk App for Enterprise Security uses correlation searches to detect patterns in your data and identify security issues that require investigation. When a suspicious pattern is detected, the correlation search creates an alert called a notable event.
A notable event represents one or more anomalous incidents that a correlation search has detected across data sources. For example, a notable event can represent:
- The repeated occurrence of an abnormal spike in network usage over a period of time
- A single occurrence of unauthorized access to a system
- A host communicating with a server on a known threat list
The Incident Review dashboard surfaces all notable events, and categorizes them by potential severity so you can quickly triage, assign, and track issues.
Use the Incident Review dashboard
The incident review process is a workflow through which you move notable events and track the actions analysts take to resolve the issues that triggered an event.
Incident review workflow
An example of the workflow for performing incident review:
- An administrative analyst monitors the Incident Review dashboard, sorting and performing high-level triaging on newly created notable events.
- When a notable event warrants investigation, the administrative analyst assigns the event to a reviewing analyst to initiate the event’s journey through the resolution workflow.
- The reviewing analyst changes the status of the event from New to In Progress, and begins investigating the cause of the notable event.
- The reviewing analyst researches and collects information on the event using the fields and field actions that are presented in the notable event. The notable event is updated with the research by recording the details in the Comments field.
- After the reviewing analyst is satisfied that the conditions of the notable event have been addressed, with any remediation tasks escalated or solved, the notable event’s status is set to Resolved. The notable event is reassigned to a final analyst for verification.
- The final analyst reviews and validates the changes made to resolve the issue, and sets the status to Closed.
The Enterprise Security app audits all incident review activity, and presents the results on the "Incident Review Audit" dashboard.
Triage notable events
The Incident Review dashboard offers several tools to facilitate the task of triaging notable events, including search filters, tagging, and sorting. Use the search filters and time range selector to focus on groups of, or an individual notable event. A notable event provides the metadata fields Urgency, Status, and Owner to assist in categorizing, tracking, and assigning events.
|Urgency||Filter by the Urgency status of the notable events||Table: select to filter out|
|Status||Filter by the workflow status of the notable events||Multi-select: Click inside the field to expose a selection menu. Choose an item to filter in. Repeat to add multiple Status filters.|
|Owner||Filter by the workflow owner of the notable events||Multi-select: Click inside the field to expose a selection menu. Choose an item to filter in. Repeat to add multiple Owner filters.|
|Security Domain||Filter by the security domain of the notable events||Multi-select: Click inside the field to expose a selection menu. Choose an item to filter in. Repeat to add multiple Security Domain filters.|
|Tag||Filter notable events by tag||Multi-item: Click inside the field and type the tag name to filter on. Repeat to add multiple Tag filters.|
|Name||Filter by string||Text field. Wildcard with an asterisk (*)|
|Search||Filter with direct Splunk search language queries (free-form entry)||Text field. Wildcard with an asterisk (*)|
|Time||Select a time range to filter results||Drop-down: select to set time-range|
Notable Event Urgency
A notable event's urgency is calculated based on the severity of the correlation search event and the priority of the asset or identity on which the event occurred. To review how urgency is calculated, see "How the urgency of an event is assigned" in this manual. Urgency levels for notable events are:
The urgency of a notable event can be changed by the security analyst. To remove the ability to modify urgency on a notable event, see "Configure Incident Review Settings" in the Installation and Configuration Manual.
Notable Event Status
A new notable event is created with a status of New. As a notable event moves through its resolution workflow, its status changes to reflect the actions the owner of the event is taking to address the event.
- Unassigned: The event has not been assigned an owner
- New (default): The event has not been reviewed
- In Progress: An owner is investigating the event
- Pending: An event closure is pending some action
- Resolved: The resolution action is complete, and awaiting verification by another user
- Closed: The event resolution is verified
You can customize the notable event status names and workflow progression. For more information, see "Configure notable events" in the Installation and Configuration Manual.
Notable Event Owner
The owner of an event is the user currently reviewing or taking action to resolve an event. Owner options for notable events are:
- Unassigned (default)
For more information about user roles and Enterprise Security app capabilities, see "Configure user and roles" in the Installation and Configuration Manual.
Tagging notable events
The notable events displayed on the Incident Review dashboard can be tagged for additional identification and to simplify searching. Key notable event fields such as Title, Status, and Owner offer the option to create new tags through the field action menu labeled Edit Tags. Once the tags are created, use the dashboard Tag filter to find tagged events by entering the tag name.
Sorting notable events
Use the header row arrows to sort notable events.
Assigning notable events
When a subset of notable events is ready for assignment, use the selection box to choose the notable events for assignment.
On the Edit Events window, update the Owner field to assign the notable events to an analyst.
Notify an analyst
A correlation search is available to notify an analyst if a notable event has not been triaged.
- Under General > Custom Searches, search for the Untriaged Notable Events correlation search.
- Modify the search, changing the notable event owner or status fields as desired.
- Set the desired alert action.
- Save the changes.
- Enable the Untriaged Notable Events correlation search.
Work with notable events
An analyst tasked with reviewing and investigating a notable event will prioritize the list of events assigned to them.
Use the information arrow on the left to expand an event and present additional fields:
- Correlation Search: A link to the Edit Correlation Search page where the correlation search associated with the event is defined. Review the correlation search parameters to understand why the notable event was created.
- History: A window displays the notable event history by date. To view event updates in sequence, use the Previous and Next links. The View all recent activity for this Notable Event link displays all of the change history for that notable event in a separate search window.
- Contributing Events: A search link to a drilldown search. The events that triggered the notable event creation will be displayed. The drilldown defaults to All Time. To change the drilldown time range, see "Configure Correlation Searches" in the Installation and Configuration Manual.
A drilldown on notable events finds more events than displayed on the Notable Event dashboard. By default, notable event drilldown is configured to display all related events at the time you drill down. You can change this window by editing the associated correlation search.
Expanding or managing notable events in Incident Review
If your search did not complete or is running in real time then you might not be able to expand or manage your notable events. Searches in the Incident Review dashboard must be finalized before working with notable events. To finalize a search, click the green checkmark icon. More information can be found in the "Perform search actions" topic in the core Splunk product documentation.
The Actions menu offers additional workflow actions for events. Different actions are defined for events, and fields in events.
Event actions are designed to identify workflows for indexed events. The notable event suppression and sharing notable event actions are provided to assist an incident review workflow.
- Share Notable Event:
- Presents a Share Event dialog box with a hyperlink to the notable event.
- Suppress events to/from
- Creates a New Notable Event Suppression to suppress additional notable events of the same type from a host. An Expiration Time field is available to define a time limit for the suppression filter. If the time limit is met, the suppression filter is disabled. See "Create a suppression from Incident Review" in this manual.
Field actions are designed to identify workflows for fields. There are a large number of field actions enabled, and the availability of actions vary by the field type. Fields such as
dest_ip have the most field actions available.
- Access Search (as destination): Opens another browser tab to the Access Search dashboard, takes the field value and scopes the search on that field value as the destination.
- Asset Investigator: Opens another browser tab to the Asset Investigator dashboard, takes the field value and scopes the search on that field value.
Updating event statues
To act upon events and move them through their resolution workflow:
1. Use the checkboxes to select one or more events upon which you wish to act, and select Edit all selected. Alternatively, click Edit all ## matching events to act upon all events displayed in the filter results.
2. The ES app opens the Edit Events window. Adjust the field contents to reflect the actions you’ve taken relative to the event.
3. Add an optional Comment to describe the actions taken. In a Security Information and Event Management (SIEM) environment, comments are mandatory for changing the characteristics of a security event. This creates a more complete audit record and removes the need to ask the analysts to explain their actions. You can adjust the ES app configurations to make the Comment field mandatory. See "Configure Incident Review Settings" in the Installation and Configuration Manual.
4. Save the changes
- If the modified event is not displayed when the Incident Review dashboard refreshes, review the filter settings at the top of the dashboard. Example: The filter is set to "New" after the event is changed to "In Progress".
5. Repeat until the event investigation is complete. Upon completion, change the Status field to Resolved.
Modify the Incident Review dashboard
Additional configuration options are available to change the default information displayed on portions of the Incident Review dashboard.
To change the columns of information displayed by default, update the
The default configuration is under:
1. To change a column, begin by copying
log_review.conf file in the path
2. Edit the
3. Under the
[incident_review] stanza, add or remove a column by changing the contents under the
table_attributes as desired. An example is available in the
4. Save the changes and restart.
Changing notable event fields
To change the fields displayed on the Incident Review dashboard for a notable event, update the
log_review.conf file. The default configuration is under:
1. To add or remove a field, begin by copying
log_review.conf file in the path
2. Edit the
3. Under the
[incident_review] stanza, add or remove the applicable field by changing the contents under the
event_attributes as desired. An example is available in the
4. Save the changes and restart.
Security Posture dashboard
Manual notable event creation
This documentation applies to the following versions of Splunk® Enterprise Security: 3.3.0, 3.3.1, 3.3.2, 3.3.3