Splunk® Enterprise Security

Use Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Triage notables on Incident Review in Splunk Enterprise Security

You can monitor notables, assign notables to specific owners, and prioritize actions that analysts take to resolve security events on the Incident review page. You can also accelerate the triage of notables by using filters or tags and by adding dispositions.

Ways to triage notables faster

Drill down on specific notables or groups of notables that pose the highest threat to accelerate the triage of notables during an investigation. Triaging notables helps to respond to security threats faster. You can triage notables by sorting notables, grouping notables using filters, or adding dispositions to the notables.

Sort notables

You can sort notables on the Incident Review page to triage notables faster. Notables contain Urgency, Status, Security Domain, Owner, and Type filters to help you categorize, track, and assign events.

You can further speed up the triage of your notable event through the investigation workflow by creating filters. Using filters helps you to drill down on specific and detailed information about the notable events and identify potential threats faster. Toggle Show Charts or Hide Charts to display visualizations for the notable events based on Urgency, Status, Owner, and Domain. You can hide the filters feature used for grouping notable events by clicking Close Filters.

You can also customize the fields or add additional fields to display your notable events. For more information on customizing notable event fields, see Change notable event fields.

Filter notable events using the following fields that appear on the Incident Review page:

Field Description
Urgency Importance of the notable event, such as, Medium, Low, High, Critical, Informational, and Unknown
Status Status of the notable, such as, New, In-progress, Pending, Resolved, and Closed
Owner Name of the owner.
Security Domain Domain from which the notable is generated, such as, Access, Endpoint, Network, Threat, Identity, and Audit
Type Option to select all notables or specific notables based on risk events
Options include: All Notables, Notables (that don't use risk based alerting), and Risk Notables
Search type Correlation search or sequenced search
You can also filter notables using specific correlation searches
Time or Time span during which notables are created, such as Last 24 hours, Last 30 days, and so on.
Associations Specific investigations, short IDs, or running attack templates that are associated with the notables.

You can filter for notable events created by the same correlation search using the Correlation Search Name filter to type the name of the correlation search that created a notable event. As you type, the correlation search names appear for you to select.

Type a Search Processing Language (SPL) string into the Search filter to search within the notable event details of notable events on Incident Review.

If you added notable events to investigations, or generated short IDs for notable events to share them with other analysts, you can filter by the Associations filter to quickly view the notable events associated with a specific investigation or the notable event represented by a short identifier. However, the short ID filter dropdown lists all short IDs, including notable events that are suppressed. If the notable event is suppressed, you will not be able to see it on the Incident Review page when filtering on short ID.

Additionally, you can simplify searching and add identifiers to notable events using tags. Click Edit Tags in the field actions menu for a notable event field such as Title, Status, or Owner to add new tags or modify existing ones. After you create a tag, you can use it to filter the notable events on the page.

If you want to see a filtered view of Incident Review by default, ask your ES admin to modify the navigation menu in Enterprise Security to link directly to a filtered view. See Add a link to a filtered view of Incident Review in Administer Splunk Enterprise Security.

Group notables

Reuse the grouping of notable events by specific fields during an investigation by saving filters. You can reuse saved filters or make edits to existing filters based on specific fields. Additionally, you can also save a filter as a default.

  1. From the Splunk Enterprise Security menu bar, click the Incident Review page.
  2. Select the fields that you want to use to group the notables.
    For example, Urgency: Critical; Status: New; Owner: Carl; Time: Last 24 hours; Security Domain: Endpoint
  3. Click Save New Filters.
  4. Enter a name for the filter.
  5. Check Save as Default Filter if you want to add it as a default filter.
  6. Click Save to save the filters.
    All active filters are listed in the Save Filters dialog box.
  7. Verify that the filter is in the Saved Filters drop down menu on the Incident Review page.

Manage filters for notables

Edit, delete, or select specific filters to group notable events based on specific fields for easier triage during an investigation.

  1. From the Splunk Enterprise Security menu bar, click the Incident Review page.
  2. Click Manage Filters from the Saved Filters drop down menu.
  3. Click Open under the Default column to change the default filters.
  4. Click the pencil icon to edit the filter name.
  5. Click the trash icon to delete a filter.

Add dispositions to notables

Add a disposition to any notable on the Incident Review page to identify the threat level associated with the notable accurately. Dispositions help classify the notables and separate the false positives without impacting the status of the notable event, such as New, In-progress, Closed, and so on.

  1. From the Splunk Enterprise Security menu bar, click the Incident Review page.
  2. Scroll down to the table that lists the notables.
  3. Select the notable to which you want to add a disposition.
  4. Click Edit Selected to edit the selected notable event.
  5. Select one of the following options from the Disposition drop down menu:
    • Undetermined
    • True Positive - Suspicious Activity
    • Benign Positive - Suspicious But Expected
    • False Positive - Incorrect Analytic Logic
    • False Positive - Inaccurate Data
    The default option for the Disposition field is "Undetermined". You can also add a custom disposition to the notable.
  6. Click Save Changes.

Analyze risk event notables to identify threat

Use the Incident Review page to investigate the contributing risk events that created a notable. You can quickly identify the risk events that might be a threat to your security environment by analyzing the timeline of the risk events with their associated risk score.

  1. From the Splunk Enterprise Security menu bar, click the Incident Review page.
  2. From the Type filter dropdown, select Risk Notable to display the notables that have associated risk events.
    You can expand the notable on the Incident Review page to launch the risk event timeline and further investigate the risk events associated with the notable.
  3. Review the following two fields for the risk notables:
    Field Description
    Risk Events Events that created the notable alert
    Aggregated Risk Score Sum of all the scores associated with each of the contributing risk events
    For example, if there are five risk events and each risk event is assigned a score of 10, 20, 30, 40, and 50 respectively, then the aggregated risk score is 150.
  4. Click the value in the Risk Events field for the notable that you want to investigate.
    This opens a window that contains two panels. The top panel displays a timeline visualization of the contributing risk events that created the notable. The bottom panel includes a table with detailed information on the contributing risk events.
  5. Sort the contributing risk events in the table based on any of the following fields:
    • Time
    • Risk Rule
    • Risk Score
  6. Expand the risk notable in the Contributing Risk Events table for more details to further analyze the risk objects in your security environment.
    This includes information on the following fields:
    • Risk Object
    • Source
    • Risk Score
    • Risk Message
    • Saved Search Description
    • Threat Object
    • Threat Object Type
  7. Click View Contributing Events for information on the contributing events that triggered the risk event.
    You can also search for specific contributing risk events that created the notables through the filter.
  8. Correlate the risk events with dates and severity of the risk scores in the timeline visualization to identify threats.
    You can zoom in and out to narrow down the time of occurrence since the timeline visualization plots of the contributing risk events using time on the x-axis and the risk score on the y-axis.
    The timeline visualization also uses color codes on the icons that indicate the severity of the risk scores. The color coding of risk score icons is consistent across the Contributing Risk Events table and the timeline visualization of the risk events. A lighter color icon corresponds to a lower risk score.
    You can view a maximum of 100 risk events on the Contributing Risk Events table and the timeline visualization. If you have more than 100 risk events, the event count displays as 100+ on the header and includes a link to the search page that displays the complete list of risk events. If the number of risk events is less than 100, the event count is displayed as is.
    The risk score in the Contributing Risk Events table and the timeline visualization is the calculated risk score of all events.
  9. Hover over the color coded icons in the timeline visualization to view more information on the risk event within a tooltip. The following additional details about the risk event are displayed in the tooltip:
    • Risk Score
    • Event Name
    • Description
    • Time
    • MITRE Tactic
    • MITRE Technique
  10. Click a notable on the timeline to highlight the associated row in the Contributing Risk Events table.
  11. Identify the risk object type through the icons displayed in the header of the timeline visualization from the following icons:
    • User
    • System
    • Network Artifacts
    • Other

You might see a small discrepancy between the event count on the Incident Review page and the event count on the risk window because a new search is launched when you click the notable on the Incident Review page.

Use custom risk notables to identify threats

Use the timeline visualizations for custom risk notables to search the risk index and identify threats. You can use custom risk notables in addition to using default risk notables to identify threats that are specific to your security environment. Following are examples of the default risk notables that are packaged with Splunk Enterprise Security:

  • 24 hour risk threshold
  • ATT&CK Tactic Threshold Exceeded over previous 7 days

The risk timeline modal cannot be selected unless all required fields are present within the risk notable event and the contributing risk events.

To create a custom risk notable, define the following fields in your risk notable. The following fields are common to the risk index and risk data model:

Field Description
risk_object The risk event identifier
risk_object_type The risk event identifier type
risk_score A number that represents the risk level of a specific risk object.
risk_event_count The total number of risk events associated with the notable event. This value is calculated using the notable search.
drilldown_earliest The start time used to identify the contributing events for the risk notable. This value is automatically populated using the info_min_time in the notable framework.
drilldown_latest The end time used to identify the contributing events for the risk notable. This value is automatically populated using the info_max_time in the notable framework.
drilldown_search The search used to identify the contributing events for the risk notable. This SPL must return a calculated_risk_score field with a non-null value. The calculated_risk_score field is common to the Risk data model.

Example: How to create custom risk notables

Following is an example of creating a risk notable. You must follow this format to use the Risk Timeline visualization.

Say, you have the following events in the Risk data model:

Risk object Risk object type Risk score
foo user 30
bar user 50
foo user 30

The underlying notable search must contain the following required fields:

  • risk_object
  • risk_object_type
  • risk_score
  • risk_event_count
  • drilldown_earliest
  • drilldown_latest
  • drilldown_search

Following is an example of the search for the risk notables with associated results:

Required fields that are not part of the Risk data model are calculated.

| tstats `summariesonly` sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count from datamodel=Risk.All_Risk by All_Risk.risk_object, All_Risk.risk_object_type

Results:

Risk object Risk object type Risk score Risk event count
foo user 60 2
bar user 50 1

Though search results add the drilldown fields automatically, you must specify a drilldown_search when you configure the risk notable on the Correlation Search editor. Additionally, the notable drilldown_search must contain the field calculated_risk_score.

Following is an example of the drilldown_search:

| from datamodel:"Risk.All_Risk" | search risk_object="$risk_object$" risk_object_type="$risk_object_type$"

As shown in this example, the calculated_risk_score already exists in the Risk data model and is calculated automatically.

For more information on accessing the Risk Timeline visualization to analyze risk event notables and identify threat, see Analyze risk event notables to identify threat.

Assign notables to owners

You can assign one event at a time or several at once.

  1. Select a notable.
  2. Click Edit selected.
  3. Select an Owner to assign the notable. Or, click Assign to me to assign the event or events to yourself.
  4. Save your changes.

Owners are unassigned by default, and you can assign notables to any user with an administrator, ess_admin, or ess_analyst role. For more on user roles, see Configure users and roles in the Installation and Upgrade Manual.

If you use SAML authentication, it might take up to 10 minutes to update the list of users that you can assign notables to.

Update the status of a notable

New notables have the New status. As analysts triage and move a notable through the incident review workflow, the owner of the investigation can update the status of the notable to reflect the actions they take to address the event.

  1. Select one or more events, then click Edit all selected. To take action on all displayed events, click Edit all ## matching events.
  2. In the Edit Events window, update the fields to reflect your actions.
  3. (Optional) Add a Comment to describe the actions you took.
  4. Save changes.

If your Enterprise Security (ES) administrator customized the Incident Review page, you might need to enter comments when updating a notable. See Customize Incident Review in Splunk Enterprise Security for more information about how ES admins can customize the ways that analysts view and interact with notables.

If your changes are not immediately visible, check the filters. For example, if the filter is set to "New" after you changed an event to "In Progress", your updated event will not display.

You can choose from the following notable statuses.

Status Description
Unassigned Used by Enterprise Security when an error prevents the notable from having a valid status assignment.
New Default status. The event has not been reviewed.
In Progress An owner is investigating the event.
Pending The assignee must take an action.
Resolved The owner has addressed the cause of the event and is waiting for verification.
Closed The resolution of the event has been verified.

You can customize the notable status names and workflow progression to match your process. For more information, see Manage notable statuses.

Prioritize notables by urgency

Use the urgency level of a notable event to prioritize incident review. Every notable is assigned an urgency. Urgency levels can be Unknown, Low, Medium, Informational, High, or Critical.

Enterprise Security calculates the urgency level using the severity of the correlation search event and the priority of the asset or identity involved in the event. See How urgency is assigned to notable events in Splunk Enterprise Security.

By default, security analysts can change the urgency of a notable. See Customize Incident Review in Splunk Enterprise Security to learn how to change the default value for urgency of a notable.

Last modified on 19 January, 2022
Overview of Incident Review in   Investigate a notable on Incident Review in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters