The Risk Analysis dashboard displays recent changes to risk scores and objects that have the highest risk scores. As an analyst, you can use this dashboard to assess relative changes in risk scores and examine the events that contribute to an object's risk score.
You can use the Risk Analysis dashboard to review changes to an object's risk score, determine the source of a risk increase, and decide if additional action is needed.
Use any of the available filters on the Risk Analysis dashboard to search and filter the results. A filter is applied to all panels in the dashboard, but not the key security indicators.
|Source||Filter by the correlation search that has risk modifiers|
|Risk Object||Select a risk object type and type a string to filter by risk object. Risk object type defaults to All.|
The Risk Object filter works by performing a reverse lookup against the asset and identity tables to find all fields that have been associated with the specified Risk Object. All associated objects found by the reverse lookup then display on the dashboard. For example, if you select a risk object type of system and type a Risk Object of 10.10.1.100, the reverse lookup against the assets table could return a MAC address. The Risk Analysis dashboard will update to display any risk score applied to the 10.10.1.100 address and a MAC address. If no match to another object was found in the asset table, only the IP address matches from the Risk Analysis data model will be displayed.
The Risk Analysis dashboard offers additional views to help analyze risk scoring changes and what caused the changes. Use the filters to refine the view to a specific object or group of objects. Use the drilldown to explore the data as events.
|Key Indicators||Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. See Key indicators in Splunk Enterprise Security.|
|Risk Modifiers Over Time||Displays the changes made to risk modifiers over time. Use the dashboard filters to scope the view to a specific object or group of objects. The drilldown opens a search on all events in the Risk data model scoped to the selected time frame.|
|Risk Score By Object||Displays the objects with the highest risk score. The drilldown opens a search with the selected risk object and scoped to the selected time frame.|
|Most Active Sources||Displays the correlation searches that contribute the highest amount of risk to any object. The drilldown opens a search with the selected source.|
|Recent Risk Modifiers||Displays a table of the most recent changes in a risk score, the source of the change, and the object.|
User Activity Monitoring
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.0