Splunk® Enterprise Security

Use Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Investigate a notable on Incident Review in Splunk Enterprise Security

After you finish triaging notable events, begin your investigation. Use the available fields on a notable event to assess the urgency, contributing events, and risk scores associated with the notable event.

Open the event details to learn more about a notable event.

  • Review the History to see the recent investigation activity on the notable event. Click View all recent activity for this Notable Event to see analyst comments, status changes, and other activities for the event.
  • Determine if the notable event is part of an existing investigation by reviewing the Related Investigations section. Click the name of the investigation to open it.
  • See which correlation search generated the notable event. Click the name of the correlation search to make changes to or review the correlation search to understand why the notable event was created.
  • View the Contributing Events that caused the notable event to be created.
  • Review the risk scores listed for assets and identities involved in a notable event. Click a risk score to open the Risk Analysis dashboard filtered on that asset or identity.
  • If one original event created a notable event, you can see the full details of the original event.
  • Review the Adaptive Responses to see which adaptive response actions have been performed for this notable event, whether the actions were successfully performed, and drill down for more details. Click the name of the response action to see potential results generated by this action's invocation. Click View Adaptive Response Invocations to see the raw audit events for the response actions associated with this correlation search. It takes up to five minutes for updates to appear on this table.
  • Review the Next Steps to see if any next steps for notable event triage are defined.
  • Click Create Short ID to create a short ID to share with other analysts. You can also share a notable event with a link. See Take action on a notable event on Incident Review in Splunk Enterprise Security.

Why are some of my contributing events missing?

There are some correlation searches that detect a lack of something. For example, the "Endpoint - Should Timesync Host Not Syncing - Rule" detects a lack of successful time synchronization events for a particular host. Another example is the "Audit - Expected Host Not Reporting - Rule" that detects a lack of data from a host.

When notable events are created for these hosts, it is possible that clicking the view all contributing events link from Incident Review will result in "No results found". You can use the time range picker to expand the time range for identifying when the lack of events occurred, but it's possible that "No results found" will persist because the host never did the thing it was supposed to do.

Find the sequenced events generated by the event sequence template

Once you have created a sequence template, and it has reached the end state, the output is listed as a sequenced event in the Incident Review dashboard. See Find the sequenced events generated by the event sequence template.

Last modified on 22 November, 2021
Triage notable events on Incident Review in Splunk Enterprise Security   Take action on a notable on Incident Review in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters