Splunk® Enterprise Security

Use Cases

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Add dispositions to risk notables

Ram adds dispositions to the risk notables using the Incident Review dashboard to identify the threat level associated with the notable accurately. Adding a disposition helps to classify the notables, separate the false positives, and drill down on the notables that pose the highest threat. This helps Ram to accelerate the triage of notables during an investigation and respond to security threats faster.

You can use the SOC Operations dashboard to gather insight into the security operations center (SOC) based on dispositions so that you can monitor the efficiency of the SOC and ensure that all security operations (detections, analysis, and responses) are on track. The panel on Dispositions Over Time displays a distribution of the various dispositions that are assigned to notables over the duration of a specified time period. This visualization provides insight into the number of notables that are false positives versus notables that are true positives. For more information on assigning dispositions to notables, see Add dispositions to notables.

  1. From the Splunk Enterprise Security menu bar, Ram clicks the Incident Review page and scrolls down to the table that lists the notables.
  2. Ram sorts them to bubble up only the risk notables and selects the checkbox beside the risk notables for which he wants to add a disposition.
  3. Ram clicks Edit Selected to edit the notable that he selected.
  4. For each risk notable, Ram selects one of the options from the Disposition drop-down list as shown in the following image and saves his changes.

AddDispositiontoNotable

Now Milly, the detection engineer, can prioritize the investigation of risk notables that are tagged as True Positive - Suspicious Activity.

Last modified on 24 March, 2022
PREVIOUS
Reduce alert volumes by triaging notables
  NEXT
Sort notables by disposition

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters