Managing Incident Review in Splunk Enterprise Security
detects patterns in your data and automatically reviews events for security-relevant incidents using correlation searches. When a correlation search detects a suspicious pattern, the correlation search creates an alert called a notable event.
The Incident Review dashboard surfaces all notable events, and categorizes them by potential severity so analysts can quickly triage, assign, and track issues.
- For information about how analysts use the Incident Review dashboard, see Incident Review overview in Use Splunk Enterprise Security.
- To audit and review analyst activity on the Incident Review dashboard, see Incident Review Audit in Use Splunk Enterprise Security.
- To customize the display of the Incident Review dashboard, and also modify analyst capabilities and permissions, see Customize Incident Review in Splunk Enterprise Security.
- To manually create notable events, see Manually create a notable event in Splunk Enterprise Security.
- To customize settings for notable events, see Customize notable event settings in Splunk Enterprise Security.
- For more information about how notable events are populated and managed by the notable event framework, see Notable Event framework in Splunk Enterprise Security on the Splunk developer portal.
How risk scores display in Incident Review
Risk scores do not display in Incident Review for every asset or identity. Only assets or identities (risk objects) that have a risk score and a risk object type of "system," "user," or "other" display in Incident Review. Risk scores only show for the following fields:
The risk score for an asset or identity might not match the score on the Risk Analysis dashboard. The risk score is a cumulative score for an asset or identity, rather than a score specific to an exact username.
- For example, if a person has a username of "buttercup" that has a risk score of 40, and an email address of "firstname.lastname@example.org" with a risk score of 60, and the identity lookup identifies that "buttercup" and "email@example.com" belong to the same person, a risk score of 100 displays on Incident Review for both "buttercup" and "firstname.lastname@example.org" accounts.
- As another example, if an IP of 10.11.36.1 has a risk score of 80 and an IP of 10.11.36.19 has a risk score of 30, and the asset lookup identifies that a range of IPs "10.11.36.1 - 10.11.36.19" belong to the same asset, a risk score of 110 displays on Incident Review for both "10.11.36.1" and "10.11.36.19" IP addresses.
Risk scores are calculated for Incident Review using the Threat - Risk Correlation By <type> - Lookup Gen lookup generation searches. The searches run every 30 mins over the previous 7 days and update the
risk_correlation_lookup lookup file. To see more frequent updates to the risk scores in Incident Review, update the
cron_schedule of the saved searches.
Notify an analyst of untriaged notable events
You can use a correlation search to notify an analyst if a notable event has not been triaged.
- Select Configure > Content > Content Management.
- Locate the Untriaged Notable Events correlation search using the filters.
- Modify the search, changing the notable event owner or status fields as desired.
- Set the desired alert action.
- Save the changes.
- Enable the Untriaged Notable Events correlation search.
Administering Splunk Enterprise Security
Customize Incident Review in Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2