Splunk® Enterprise Security

Use Splunk Enterprise Security

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Overview of Incident Review in

The Incident Review dashboard displays notable events and their current status. You can also filter notable events based on specific fields and accelerate the triage of notable events through an investigation workflow.

A notable event represents one or more anomalous incidents detected by a correlation search across data sources. For example, a notable event can represent:

  • The repeated occurrence of an abnormal spike in network usage over a period of time
  • A single occurrence of unauthorized access to a system
  • A host communicating with a server on a known threat list

As an analyst, you can use the dashboard to gain insight into the severity of events occurring in your system or network. You can use the dashboard to triage new notable events, assign events to analysts for review, and examine notable event details for investigative leads.

As an administrator, you can manage and customize Incident Review and notable event settings. See Managing Incident Review in Splunk Enterprise Security for more information about administrator activities.

The option to run a real time search is no longer available on the Incident Review page from release 6.6.2 or higher.

How identifies notable events

detects patterns in your data and automatically reviews events for security-relevant incidents using correlation searches. When a correlation search detects a suspicious pattern, the correlation search creates a new notable event.

The Incident Review dashboard surfaces all notable events, and categorizes them by potential severity so you can quickly triage, assign, and track issues.

Incident review workflow

You can use this example workflow to triage and work notable events on the Incident Review dashboard.

  1. An administrative analyst monitors the Incident Review dashboard, sorting and performing high-level triage on newly-created notable events.
  2. When a notable event warrants investigation, the administrative analyst assigns the event to a reviewing analyst to start investigating the incident.
  3. The reviewing analyst updates the status of the event from New to In Progress, and begins investigating the cause of the notable event.
  4. The reviewing analyst researches and collects information on the event using the fields and field actions in the notable event. The analyst records the details of their research in the Comments field of the notable event. As part of the research, the analyst might run adaptive response actions. If the research proves that the notable event needs more lengthy investigation, the analyst can assign the notable event to an investigation.
  5. After the reviewing analyst addresses the cause of the notable event and any remediation tasks have been escalated or solved, the analyst sets the notable event status to Resolved.
  6. The analyst assigns the notable event to a final analyst for verification.
  7. The final analyst reviews and validates the changes made to resolve the issue, and sets the status to Closed.

Change the UI theme of Splunk Enterprise Security

Splunk Enterprise Security UI allows you to switch between light and dark modes if you log in as an administrator.

  1. From the Splunk Enterprise Security menu bar, select Configure > All Configurations.
  2. Click General > General Settings.
  3. Scroll to ES Theme and select mode.

Dark mode is enabled by default when you install Splunk Enterprise Security 7.0 on Splunk Cloud Platform version 8.2.2109 or higher. The dark mode option is not yet available for Splunk Enterprise. The light mode is the Enterprise mode. For Splunk Enterprise Security versions installed on all versions of Splunk Enterprise or Splunk Cloud Platform version 8.2.2107 or lower, the settings to select mode and specify the UI theme are disabled.

When you load the Common Information Model (CIM) app within the ES context using Configure > CIM Setup, the mode displayed for CIM is the same as set for Enterprise Security. However, when you load the CIM app independently of ES, Enterprise mode is displayed by default.

Users such as ess_analyst or ess_user cannot switch between dark or Enterprise modes. However, as an administrator, you might grant access to other users and override the dark mode upon request by making edits to the user-prefs.conf configuration file.
To enable specific users to access the Enterprise mode, add theme = enterprise in the [general] stanza of the user-prefs.conf configuration file located at ./etc/users/<userid>/user-prefs/local/user-prefs.conf.
To enable all other users to access the Enterprise mode at a system level, add theme = enterprise in the [general] stanza of the user-prefs.conf configuration file located at ./etc/apps/user-prefs/local/user-prefs.conf.

Last modified on 14 September, 2022
PREVIOUS
About Splunk Enterprise Security
  NEXT
Triage notables on Incident Review in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters