Splunk® Enterprise Security

Use Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Risk Analysis

The Risk Analysis dashboard displays recent changes to risk scores and objects that have the highest risk scores. As an analyst, you can use this dashboard to assess relative changes in risk scores and examine the events that contribute to an object's risk score.

You can use the Risk Analysis dashboard to review changes to an object's risk score, determine the source of a risk increase, and decide if additional action is needed.

Dashboard filters

Use any of the available filters on the Risk Analysis dashboard to search and filter the results. A filter is applied to all panels in the dashboard, but not the key security indicators.

Filter by Description
Source Filter by the correlation search that has risk modifiers
Risk Object Select a risk object type and type a string to filter by risk object. Risk object type defaults to All.

The Risk Object filter works by performing a reverse lookup against the asset and identity tables to find all fields that have been associated with the specified Risk Object. All associated objects found by the reverse lookup then display on the dashboard. For example, if you select a risk object type of system and type a Risk Object of 10.10.1.100, the reverse lookup against the assets table could return a MAC address. The Risk Analysis dashboard will update to display any risk score applied to the 10.10.1.100 address and a MAC address. If no match to another object was found in the asset table, only the IP address matches from the Risk Analysis data model will be displayed.

Dashboard panels

The Risk Analysis dashboard offers additional views to help analyze risk scoring changes and what caused the changes. Use the filters to refine the view to a specific object or group of objects. Use the drilldown to explore the data as events.

Panel Description
Key Indicators Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. See Key indicators in Splunk Enterprise Security.
Risk Modifiers Over Time Displays the changes made to risk modifiers over time. Use the dashboard filters to scope the view to a specific object or group of objects. The drilldown opens a search on all events in the Risk data model scoped to the selected time frame.
Risk Score By Object Displays the objects with the highest risk score. The drilldown opens a search with the selected risk object and scoped to the selected time frame.
Most Active Sources Displays the correlation searches that contribute the highest amount of risk to any object. The drilldown opens a search with the selected source.
Recent Risk Modifiers Displays a table of the most recent changes in a risk score, the source of the change, and the object.
Last modified on 22 November, 2021
User Activity Monitoring   Network dashboards

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters