Splunk® Enterprise Security

Use Cases

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Investigate risk notables that represent a threat

Ram investigates the risk notables that are tagged as True Positive - Suspicious Activity using the timeline visualization on the Incident Review page and identifies the source of the security threat.

  1. From the Splunk Enterprise Security menu bar, Ram clicks the Incident Review page.
  2. From the Type filter drop-down list, Ram selects Risk Notable to display the notables that have associated risk events.
  3. Ram focuses only on the risk notables that have the Disposition tagged as True Positive - Suspicious Activity.
  4. Ram reviews the following two fields for the risk notables: Risk Event and Aggregated Score. The Aggregated Score is the sum of all the scores associated with each of the contributing risk events.
  5. Ram clicks the value in the Risk Events field for the notable event that he wants to investigate. This opens a window that contains two panels. The top panel displays a timeline visualization of the contributing risk events that created the notable. The bottom panel includes a table with detailed information on the contributing risk events as shown in the following image:
    TimelineVisualizationRiskEvents
  6. Ram expands the risk notable in the Contributing Risk Events table for more details to further analyze the risk objects in his security environment.
    This includes information on the following fields: Risk Object Source Risk Score Risk Message Saved Search Description Threat Object Threat Object Type These details provide Ram with further context to analyze the risk object, such as power shell, registry entries, commands, risk messages, user login information, or any other suspicious activity as shown in the following image:
    ContributingRiskEventsTable
  7. Ram correlates the risk events with dates and the severity of the risk scores in the timeline visualization to identify threats.
  8. Ram also zooms in and out to narrow down the time of occurrence since the timeline visualization plots the contributing risk events using time on the x-axis and the risk score on the y-axis. The timeline visualization also uses color codes on the icons that indicate the severity of the risk scores. Color coding risk score icons are consistent across the Contributing Risk Events table and the timeline visualization of the risk events. Ram knows that a lower risk score corresponds to a lighter color icon.
  9. Ram now identifies the risk object type through the icons displayed in the header of the timeline visualization. Icons include:
    • User
    • System
    • Network Artifacts
    • Other
    Using the filters, timeline, and other visualizations on the Incident Review page in Splunk Enterprise Security helps Ram to accelerate the triage process of notables during the investigation workflow. Ram can now quickly identify the risk events that might be a threat to the SOC of Buttercup Games.
Last modified on 19 January, 2022
Sort notables by disposition   Isolate User Behaviors That Pose Threats

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters