Splunk® Enterprise Security

Use Splunk Enterprise Security

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Incident Review dashboard

The Incident Review dashboard displays notable events and their current status. As an analyst, you will use the dashboard to gain insight into the severity of events occurring within your system or network. You will use the dashboard views to triage new notable events, assign events to analysts for review, and examine notable event details for investigative leads.

Notable event

To reduce the amount of effort required to search through your security events for incidents, the Splunk App for Enterprise Security uses correlation searches to detect patterns in your data and identify security issues that require investigation. When a suspicious pattern is detected, the correlation search creates an alert called a notable event.

A notable event represents one or more anomalous incidents that a correlation search has detected across data sources. For example, a notable event can represent:

  • The repeated occurrence of an abnormal spike in network usage over a period of time
  • A single occurrence of unauthorized access to a system
  • A host communicating with a server on a known threat list

The Incident Review dashboard surfaces all notable events, and categorizes them by potential severity so you can quickly triage, assign, and track issues.

Use the Incident Review dashboard

The incident review process is a workflow through which you move notable events and track the actions analysts take to resolve the issues that triggered an event.

Incident review workflow

An example of the workflow for performing incident review:

  1. An administrative analyst monitors the Incident Review dashboard, sorting and performing high-level triaging on newly created notable events.
  2. When a notable event warrants investigation, the administrative analyst assigns the event to a reviewing analyst to initiate the event’s journey through the resolution workflow.
  3. The reviewing analyst changes the status of the event from New to In Progress, and begins investigating the cause of the notable event.
  4. The reviewing analyst researches and collects information on the event using the fields and field actions that are presented in the notable event. The notable event is updated with the research by recording the details in the Comments field.
  5. After the reviewing analyst is satisfied that the conditions of the notable event have been addressed, with any remediation tasks escalated or solved, the notable event’s status is set to Resolved. The notable event is reassigned to a final analyst for verification.
  6. The final analyst reviews and validates the changes made to resolve the issue, and sets the status to Closed.

The Enterprise Security app audits all incident review activity, and presents the results on the "Incident Review Audit" dashboard.

Triage notable events

The Incident Review dashboard offers several tools to facilitate the task of triaging notable events, including search filters, tagging, and sorting. Use the search filters and time range selector to focus on groups of, or an individual notable event. A notable event provides the metadata fields Urgency, Status, and Owner to assist in categorizing, tracking, and assigning events.

ES33 incident review top.png

Filter by Description Action
Urgency Filter by the Urgency status of the notable events Table: select to filter out
Status Filter by the workflow status of the notable events Multi-select: Click inside the field to expose a selection menu. Choose an item to filter in. Repeat to add multiple Status filters.
Owner Filter by the workflow owner of the notable events Multi-select: Click inside the field to expose a selection menu. Choose an item to filter in. Repeat to add multiple Owner filters.
Security Domain Filter by the security domain of the notable events Multi-select: Click inside the field to expose a selection menu. Choose an item to filter in. Repeat to add multiple Security Domain filters.
Tag Filter notable events by tag Multi-item: Click inside the field and type the tag name to filter on. Repeat to add multiple Tag filters.
Name Filter by string Text field. Wildcard with an asterisk (*)
Search Filter with direct Splunk search language queries (free-form entry) Text field. Wildcard with an asterisk (*)
Time Select a time range to filter results Drop-down: select to set time-range

Notable Event Urgency

A notable event's urgency is calculated based on the severity of the correlation search event and the priority of the asset or identity on which the event occurred. To review how urgency is calculated, see "How the urgency of an event is assigned" in this manual. Urgency levels for notable events are:

  • Low
  • Medium
  • Informational
  • High
  • Critical

The urgency of a notable event can be changed by the security analyst. To remove the ability to modify urgency on a notable event, see "Configure Incident Review Settings" in the Installation and Configuration Manual.

Notable Event Status

A new notable event is created with a status of New. As a notable event moves through its resolution workflow, its status changes to reflect the actions the owner of the event is taking to address the event.

  • Unassigned: The event has not been assigned an owner
  • New (default): The event has not been reviewed
  • In Progress: An owner is investigating the event
  • Pending: An event closure is pending some action
  • Resolved: The resolution action is complete, and awaiting verification by another user
  • Closed: The event resolution is verified

You can customize the notable event status names and workflow progression. For more information, see "Configure notable events" in the Installation and Configuration Manual.

Notable Event Owner

The owner of an event is the user currently reviewing or taking action to resolve an event. Owner options for notable events are:

  • Unassigned (default)
  • Administrator
  • esadmin
  • esanalyst

For more information about user roles and Enterprise Security app capabilities, see "Configure user and roles" in the Installation and Configuration Manual.

Tagging notable events

The notable events displayed on the Incident Review dashboard can be tagged for additional identification and to simplify searching. Key notable event fields such as Title, Status, and Owner offer the option to create new tags through the field action menu labeled Edit Tags. Once the tags are created, use the dashboard Tag filter to find tagged events by entering the tag name.

ES33 incident review tag.png

Sorting notable events

Use the header row arrows to sort notable events.

ES33 incident review sort.png

Assigning notable events

When a subset of notable events is ready for assignment, use the selection box to choose the notable events for assignment.

ES33 incident review select.png

On the Edit Events window, update the Owner field to assign the notable events to an analyst.

ES31 incident review assign.png

Notify an analyst

A correlation search is available to notify an analyst if a notable event has not been triaged.

  1. Under General > Custom Searches, search for the Untriaged Notable Events correlation search.
  2. Modify the search, changing the notable event owner or status fields as desired.
  3. Set the desired alert action.
  4. Save the changes.
  5. Enable the Untriaged Notable Events correlation search.

Work with notable events

An analyst tasked with reviewing and investigating a notable event will prioritize the list of events assigned to them.

ES33incident review table.png

Use the information arrow on the left to expand an event and present additional fields:

ES33 incident review links.png

  • Correlation Search: A link to the Edit Correlation Search page where the correlation search associated with the event is defined. Review the correlation search parameters to understand why the notable event was created.
  • History: A window displays the notable event history by date. To view event updates in sequence, use the Previous and Next links. The View all recent activity for this Notable Event link displays all of the change history for that notable event in a separate search window.
  • Contributing Events: A search link to a drilldown search. The events that triggered the notable event creation will be displayed. The drilldown defaults to All Time. To change the drilldown time range, see "Configure Correlation Searches" in the Installation and Configuration Manual.

A drilldown on notable events finds more events than displayed on the Notable Event dashboard. By default, notable event drilldown is configured to display all related events at the time you drill down. You can change this window by editing the associated correlation search.

Expanding or managing notable events in Incident Review

If your search did not complete or is running in real time then you might not be able to expand or manage your notable events. Searches in the Incident Review dashboard must be finalized before working with notable events. To finalize a search, click the green checkmark icon. More information can be found in the "Perform search actions" topic in the core Splunk product documentation.


Actions menu

The Actions menu offers additional workflow actions for events. Different actions are defined for events, and fields in events.

Event Actions

Event actions are designed to identify workflows for indexed events. The notable event suppression and sharing notable event actions are provided to assist an incident review workflow.

ES33 incident review actions.png

  • Share Notable Event:
Presents a Share Event dialog box with a hyperlink to the notable event.
  • Suppress events to/from $host:
Creates a New Notable Event Suppression to suppress additional notable events of the same type from a host. An Expiration Time field is available to define a time limit for the suppression filter. If the time limit is met, the suppression filter is disabled. See "Create a suppression from Incident Review" in this manual.

Field Actions

Field actions are designed to identify workflows for fields. There are a large number of field actions enabled, and the availability of actions vary by the field type. Fields such as host, src, src_ip, dest, and dest_ip have the most field actions available.

ES33 incident review actions2.png

Examples:

  • Access Search (as destination): Opens another browser tab to the Access Search dashboard, takes the field value and scopes the search on that field value as the destination.
  • Asset Investigator: Opens another browser tab to the Asset Investigator dashboard, takes the field value and scopes the search on that field value.

Updating event statues

To act upon events and move them through their resolution workflow:

1. Use the checkboxes to select one or more events upon which you wish to act, and select Edit all selected. Alternatively, click Edit all ## matching events to act upon all events displayed in the filter results.

2. The ES app opens the Edit Events window. Adjust the field contents to reflect the actions you’ve taken relative to the event.

ES33 incident review comments.png

3. Add an optional Comment to describe the actions taken. In a Security Information and Event Management (SIEM) environment, comments are mandatory for changing the characteristics of a security event. This creates a more complete audit record and removes the need to ask the analysts to explain their actions. You can adjust the ES app configurations to make the Comment field mandatory. See "Configure Incident Review Settings" in the Installation and Configuration Manual.

4. Save the changes

  • If the modified event is not displayed when the Incident Review dashboard refreshes, review the filter settings at the top of the dashboard. Example: The filter is set to "New" after the event is changed to "In Progress".

5. Repeat until the event investigation is complete. Upon completion, change the Status field to Resolved.

Modify the Incident Review dashboard

Additional configuration options are available to change the default information displayed on portions of the Incident Review dashboard.

Changing columns

To change the columns of information displayed by default, update the log_review.conf file. The default configuration is under: $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/default/log_review.conf.

1. To change a column, begin by copying log_review.conf file in the path $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/default to $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local

2. Edit the $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/log_review.conf file.

3. Under the [incident_review] stanza, add or remove a column by changing the contents under the table_attributes as desired. An example is available in the SA-ThreatIntelligence/README/log_review.conf.example.

4. Save the changes and restart.

Changing notable event fields

To change the fields displayed on the Incident Review dashboard for a notable event, update the log_review.conf file. The default configuration is under: $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/default/log_review.conf.

1. To add or remove a field, begin by copying log_review.conf file in the path $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/default to $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local

2. Edit the $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/log_review.conf file.

3. Under the [incident_review] stanza, add or remove the applicable field by changing the contents under the event_attributes as desired. An example is available in the SA-ThreatIntelligence/README/log_review.conf.example.

4. Save the changes and restart.

PREVIOUS
Security Posture dashboard
  NEXT
Manual notable event creation

This documentation applies to the following versions of Splunk® Enterprise Security: 3.3.0, 3.3.1, 3.3.2, 3.3.3


Comments

Thank you JStoner. The content has been updated.

Ekostowski splunk, Splunker
September 22, 2015

You may want to consider adding to the section Modify the Incident Review dashboard.
I can add columns to the Notable Event Fields table by editing the same conf file as mentioned above. This can be useful to someone who might want to see a destination host or source host in the table before expanding.

Jstoner splunk, Splunker
September 18, 2015

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters