Splunk® Enterprise Security

Administer Splunk Enterprise Security

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Identify annotations based risk objects in Splunk Enterprise Security

Use the Workbench-Risk (risk_object) as Asset workflow action panels or the Risk tab in Workbench for an investigation to visually classify the risk objects based on risk modifiers, risk scores, MITRE ATT&CK techniques, and tactics.

When an excessive number of notable events are generated from correlation searches, it may be difficult to isolate the root problem in an investigation. Risk workbench panels provide at-a-glace risk-based insight into the severity of the events occurring in your system or network, help to prioritize notable events, assign targeted notable events to security analysts for review, and examine specific notable annotations for investigations.

Classify risk objects for targeted threat investigation

Use the Workbench-Risk (risk_object) as Asset panels or the Risk tab in Workbench for an investigation to investigate risk objects so that you may identify specific workflow actions and streamline your threat investigation process.

Access the Embedded Risk Workbench panels

Use the Workbench-Risk (risk_object) as Asset workflow action panels to display the risk modifiers, risk scores, pie charts for MITRE ATT&CKS for only a single artifact.

Steps

  1. From the Enterprise Security menu, select Incident Review.
    This displays the notable events for the security domains.
  2. Expand the notable event.
  3. Click on Actions next to the Risk Object, Destination, User, or Source fields to display the Workbench-Risk (risk_object) as Asset workflow action.

    The '''Destination''', '''User''', and '''Source''' fields function as risk objects during the investigation process.

  4. Select the Workbench-Risk (risk_object) as Asset action.
    This opens the Embedded Workbench panel that displays the following items:
    • Recent risk modifiers that are applied to the risk objects.
    • Risk scores by artifact and trends of risk modifiers over time.
    • Pie chart displaying the distribution of artifacts by MITRE ATT&CK techniques like Driven by Compromise, Account Manipulation, and so on.
    • Pie chart displaying the distribution of artifacts by MITRE ATT&CK tactics like discovery, persistence, defense evasion, and so on.
    • Time chart displaying the MITRE ATT&CK Techniques Over Time.
    • Time chart displaying the MITRE ATT&CK Tactics Over Time.
  5. Use the visuals and charts to investigate risk objects for a single artifact.

Access the Risk tab in Workbench

Use the Risk tab in Workbench to display the risk modifiers, risk scores, graph charts for MITRE ATT&CKS for single or multiple artifacts in an investigation.

Steps

  1. From the Enterprise Security menu, select Investigation.
    This displays a list of open investigations.
  2. Click on an open investigation to display the Workbench panel.
  3. Click on Add Artifact to add artifacts (assets or identities) to your investigation.
    This opens the Add Artifacts dialog, which you may use to add a single or multiple artifacts to your investigation.
  4. Click on Add To Scope after specifying the details for the artifact.
    The list of artifacts in your investigation is displayed in the left panel.
  5. Click on Explore.
  6. Click on the Risk tab in Workbench to display the following items:
    • Risk scores for the risk object.
    • Recent risk modifiers that are applied to the risk objects.
    • Graph charts displaying the distribution of artifacts by MITRE ATT&CK techniques. For example: Driven by Compromise, Account Manipulation, and so on.
    • Graph charts displaying the distribution of artifacts by MITRE ATT&CK tactics. For example: discovery, persistence, defense evasion.
  7. Use the visuals and charts to investigate risk objects for a single artifact or multiple artifacts.


For more information on managing investigations in Splunk Enterprise security, see Investigations in Splunk Enterprise Security.

Last modified on 02 February, 2021
PREVIOUS
Create a workbench panel workflow action in Splunk Enterprise Security
  NEXT
Correlation search overview for Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 6.4.0, 6.4.1, 6.5.0 Cloud only


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters