Splunk® Enterprise Security

Use Cases

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Add dispositions to risk notables

Ram adds dispositions to the risk notables using the Incident Review dashboard to identify the threat level associated with the notable accurately. Adding a disposition helps to classify the notables, separate the false positives, and drill down on the notables that pose the highest threat. This helps Ram to accelerate the triage of notables during an investigation and respond to security threats faster.

  1. From the Splunk Enterprise Security menu bar, Ram clicks the Incident Review page and scrolls down to the table that lists the notables.
  2. Ram sorts them to bubble up only the risk notables and selects the checkbox beside the risk notables for which he wants to add a disposition.
  3. Ram clicks Edit Selected to edit the notable that he selected.
  4. For each risk notable, Ram selects one of the options from the Disposition drop-down list as shown in the following image and saves his changes.

AddDispositiontoNotable

Now Ram needs to investigate only risk notables that are tagged as True Positive - Suspicious Activity.

Last modified on 19 January, 2022
PREVIOUS
Reduce alert volumes by triaging notables
  NEXT
Sort notables by disposition

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters