Splunk® Enterprise Security

Administer Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Managing Incident Review in Splunk Enterprise Security

detects patterns in your data and automatically reviews events for security-relevant incidents using correlation searches. When a correlation search detects a suspicious pattern, the correlation search creates an alert called a notable event.

The Incident Review dashboard surfaces all notable events, and categorizes them by potential severity so analysts can quickly triage, assign, and track issues.

How risk scores display in Incident Review

Risk scores do not display in Incident Review for every asset or identity. Only assets or identities (risk objects) that have a risk score and a risk object type of "system," "user," or "other" display in Incident Review. Risk scores only show for the following fields: orig_host, dvc, src, dest, src_user, and user. The risk score for an asset or identity might not match the score on the Risk Analysis dashboard. The risk score is a cumulative score for an asset or identity, rather than a score specific to an exact username.

  • For example, if a person has a username of "buttercup" that has a risk score of 40, and an email address of "buttercup@splunk.com" with a risk score of 60, and the identity lookup identifies that "buttercup" and "buttercup@splunk.com" belong to the same person, a risk score of 100 displays on Incident Review for both "buttercup" and "buttercup@splunk.com" accounts.
  • As another example, if an IP of 10.11.36.1 has a risk score of 80 and an IP of 10.11.36.19 has a risk score of 30, and the asset lookup identifies that a range of IPs "10.11.36.1 - 10.11.36.19" belong to the same asset, a risk score of 110 displays on Incident Review for both "10.11.36.1" and "10.11.36.19" IP addresses.

Risk scores are calculated for Incident Review using the Threat - Risk Correlation By <type> - Lookup Gen lookup generation searches. The searches are run every 30 minutes and focus on the last 7 days of risk events to update the risk_correlation_lookup lookup file. To see more frequent updates to the risk scores in Incident Review, update the cron_schedule of the saved searches.

Notify an analyst of untriaged notable events

You can use a correlation search to notify an analyst if a notable event has not been triaged.

  1. Select Configure > Content > Content Management.
  2. Locate the Untriaged Notable Events correlation search using the filters.
  3. Modify the search, changing the notable event owner or status fields as desired.
  4. Set the desired alert action.
  5. Save the changes.
  6. Enable the Untriaged Notable Events correlation search.
Last modified on 16 December, 2022
Administering Splunk Enterprise Security   Customize Incident Review in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters