Triage notables on Incident Review in Splunk Enterprise Security
You can monitor notables, assign notables to specific owners, and prioritize actions that analysts take to resolve security events on the Incident review page. You can also accelerate the triage of notables by using filters or tags and by adding dispositions.
Ways to triage notables faster
Drill down on specific notables or groups of notables that pose the highest threat to accelerate the triage of notables during an investigation. Triaging notables helps to respond to security threats faster. You can triage notables by sorting notables, grouping notables using filters, or adding dispositions to the notables.
Sort notables
You can sort notables on the Incident Review page to triage notables faster. Notables contain Urgency, Status, Security Domain, Owner, and Type filters to help you categorize, track, and assign events.
You can further speed up the triage of your notable event through the investigation workflow by creating filters. Using filters helps you to drill down on specific and detailed information about the notable events and identify potential threats faster. Toggle Show Charts or Hide Charts to display visualizations for the notable events based on Urgency, Status, Owner, and Domain. You can hide the filters feature used for grouping notable events by clicking Close Filters.
You can also customize the fields or add additional fields to display your notable events. For more information on customizing notable event fields, see Change notable event fields.
Filter notable events using the following fields that appear on the Incident Review page:
Field | Description |
---|---|
Urgency | Importance of the notable event, such as, Medium, Low, High, Critical, Informational, and Unknown |
Status | Status of the notable, such as, New, In-progress, Pending, Resolved, and Closed |
Owner | Name of the owner. |
Security Domain | Domain from which the notable is generated, such as, Access, Endpoint, Network, Threat, Identity, and Audit |
Type | Option to select all notables or specific notables based on risk events Options include: All Notables, Notables (that don't use risk based alerting), and Risk Notables |
Search type | Correlation search or sequenced search You can also filter notables using specific correlation searches |
Time or | Time span during which notables are created, such as Last 24 hours, Last 30 days, and so on. |
Associations | Specific investigations, short IDs, or running attack templates that are associated with the notables. |
You can filter for notable events created by the same correlation search using the Correlation Search Name filter to type the name of the correlation search that created a notable event. As you type, the correlation search names appear for you to select.
Type a Search Processing Language (SPL) string into the Search filter to search within the notable event details of notable events on Incident Review.
If you added notable events to investigations, or generated short IDs for notable events to share them with other analysts, you can filter by the Associations filter to quickly view the notable events associated with a specific investigation or the notable event represented by a short identifier. However, the short ID filter dropdown lists all short IDs, including notable events that are suppressed. If the notable event is suppressed, you will not be able to see it on the Incident Review page when filtering on short ID.
Additionally, you can simplify searching and add identifiers to notable events using tags. Click Edit Tags in the field actions menu for a notable event field such as Title, Status, or Owner to add new tags or modify existing ones. After you create a tag, you can use it to filter the notable events on the page.
If you want to see a filtered view of Incident Review by default, ask your ES admin to modify the navigation menu in Enterprise Security to link directly to a filtered view. See Add a link to a filtered view of Incident Review in Administer Splunk Enterprise Security.
Group notables
Reuse the grouping of notable events by specific fields during an investigation by saving filtered views. You can reuse saved views or make edits to existing views based on specific fields. Additionally, you can also save a view as a default.
- From the Splunk Enterprise Security menu bar, click the Incident Review page.
- Select the fields that you want to use to group the notables.
For example, Urgency: Critical; Status: New; Owner: Carl; Time: Last 24 hours; Security Domain: Endpoint - Click Save New Views.
- Enter a name for the view.
- Check Save as Default View if you want to add it as a default view.
- Click Save to save the views.
All active views are listed in the Save Views dialog box. - Verify that the view is in the Saved Views drop down menu on the Incident Review page.
Manage filters for notables
Edit, delete, or select specific filtered views to group notable events based on specific fields for easier triage during an investigation.
- From the Splunk Enterprise Security menu bar, click the Incident Review page.
- Click Manage Views from the Saved Views drop down menu.
- Click Open under the Default column to change the default views.
- Click the pencil icon to edit the view name.
- Click the trash icon to delete a view.
Add dispositions to notables
Add a disposition to any notable on the Incident Review page to identify the threat level associated with the notable accurately. Dispositions help classify the notables and separate the false positives without impacting the status of the notable event, such as New, In-progress, Closed, and so on.
- From the Splunk Enterprise Security menu bar, click the Incident Review page.
- Scroll down to the table that lists the notables.
- Select the notable to which you want to add a disposition.
- Click Edit Selected to edit the selected notable event.
- Select one of the following options from the Disposition drop down menu:
- Undetermined
- True Positive - Suspicious Activity
- Benign Positive - Suspicious But Expected
- False Positive - Incorrect Analytic Logic
- False Positive - Inaccurate Data
- Click Save Changes.
Add custom dispositions to a notable
Follow these steps to create a custom disposition for notables:
- From the Splunk Enterprise Security menu bar, select Configure>Incident Management>Incident Review Settings.
- Scroll down to Incident Review-Dispositions.
- Click New.
- In the New Disposition dialog, add a label and description for the new disposition.
- Click Save.
Follow these steps to add the custom disposition to any notable:
- From the Splunk Enterprise Security menu bar, click the Incident Review page.
- From the list of notables, select the notables to which you want to add the custom disposition.
- Click Edit Selected.
- In the Edit Events dialog, select the custom disposition from the drop down menu.
- Click Save Changes.
- Click Close.
Assign notables to owners
You can assign one event at a time or several at once.
- Select a notable.
- Click Edit selected.
- Select an Owner to assign the notable. Or, click Assign to me to assign the event or events to yourself.
- Save your changes.
Owners are unassigned by default, and you can assign notables to any user with an administrator, ess_admin, or ess_analyst role. For more on user roles, see Configure users and roles in the Installation and Upgrade Manual.
If you use SAML authentication, it might take up to 10 minutes to update the list of users that you can assign notables to.
Update the status of a notable
New notables have the New status. As analysts triage and move a notable through the incident review workflow, the owner of the investigation can update the status of the notable to reflect the actions they take to address the event.
- Select one or more events, then click Edit all selected. To take action on all displayed events, click Edit all ## matching events.
- In the Edit Events window, update the fields to reflect your actions.
- (Optional) Add a Comment to describe the actions you took.
- Save changes.
If your Enterprise Security (ES) administrator customized the Incident Review page, you might need to enter comments when updating a notable. See Customize Incident Review in Splunk Enterprise Security for more information about how ES admins can customize the ways that analysts view and interact with notables.
If your changes are not immediately visible, check the filters. For example, if the filter is set to "New" after you changed an event to "In Progress", your updated event will not display.
You can choose from the following notable statuses.
Status | Description |
---|---|
Unassigned | Used by Enterprise Security when an error prevents the notable from having a valid status assignment. |
New | Default status. The event has not been reviewed. |
In Progress | An owner is investigating the event. |
Pending | The assignee must take an action. |
Resolved | The owner has addressed the cause of the event and is waiting for verification. |
Closed | The resolution of the event has been verified. |
You can customize the notable status names and workflow progression to match your process. For more information, see Manage notable statuses.
Prioritize notables by urgency
Use the urgency level of a notable event to prioritize incident review. Every notable is assigned an urgency. Urgency levels can be Unknown, Low, Medium, Informational, High, or Critical.
Enterprise Security calculates the urgency level using the severity of the correlation search event and the priority of the asset or identity involved in the event. See How urgency is assigned to notable events in Splunk Enterprise Security.
By default, security analysts can change the urgency of a notable. See Customize Incident Review in Splunk Enterprise Security to learn how to change the default value for urgency of a notable.
Analyze risk event notables to identify threat
Use the Incident Review page to investigate the contributing risk events that created a notable. You can quickly identify the risk events that might be a threat to your security environment by analyzing the timeline of the risk events with their associated risk score.
- From the Splunk Enterprise Security menu bar, click the Incident Review page.
- From the Type filter dropdown, select Risk Notable to display the notables that have associated risk events.
You can expand the notable on the Incident Review page to launch the risk event timeline and further investigate the risk events associated with the notable. - Review the following two fields for the risk notables:
Field Description Risk Events Events that created the notable alert Aggregated Risk Score Sum of all the scores associated with each of the contributing risk events
For example, if there are five risk events and each risk event is assigned a score of 10, 20, 30, 40, and 50 respectively, then the aggregated risk score is 150. - Click the value in the Risk Events field for the notable that you want to investigate.
This opens a window that contains two panels. The top panel displays a timeline visualization of the contributing risk events that created the notable. The bottom panel includes a table with detailed information on the contributing risk events. - Sort the contributing risk events in the table based on any of the following fields:
- Time
- Risk Rule
- Risk Score
- Expand the risk notable in the Contributing Risk Events table for more details to further analyze the risk objects in your security environment.
This includes information on the following fields:- Risk Object
- Source
- Risk Score
- Risk Message
- Saved Search Description
- Threat Object
- Threat Object Type
- Click View Contributing Events for information on the contributing events that triggered the risk event.
You can also search for specific contributing risk events that created the notables through the filter.Risk events from the behavioral analytics service do not display using the '''Contributing Events'''.
- Correlate the risk events with dates and severity of the risk scores in the timeline visualization to identify threats.
You can zoom in and out to narrow down the time of occurrence since the timeline visualization plots of the contributing risk events using time on the x-axis and the risk score on the y-axis.
The timeline visualization also uses color codes on the icons that indicate the severity of the risk scores. The color coding of risk score icons is consistent across the Contributing Risk Events table and the timeline visualization of the risk events. A lighter color icon corresponds to a lower risk score.
You can view a maximum of 100 risk events on the Contributing Risk Events table and the timeline visualization. If you have more than 100 risk events, the event count displays as100+
on the header and includes a link to the search page that displays the complete list of risk events. If the number of risk events is less than 100, the event count is displayed as is.
The risk score in the Contributing Risk Events table and the timeline visualization is the calculated risk score of all events. - Hover over the color coded icons in the timeline visualization to view more information on the risk event within a tooltip.
The following additional details about the risk event are displayed in the tooltip:
- Risk Score
- Event Name
- Description
- Time
- MITRE Tactic
- MITRE Technique
- Click a notable on the timeline to highlight the associated row in the Contributing Risk Events table.
- Identify the risk object type through the icons displayed in the header of the timeline visualization from the following icons:
- User
- System
- Network Artifacts
- Other
You might see a small discrepancy between the event count on the Incident Review page and the event count on the risk window because a new search is launched when you click the notable on the Incident Review page.
Use custom risk notables to identify threats
Use the timeline visualizations for custom risk notables to search the risk index and identify threats. You can use custom risk notables in addition to using default risk notables to identify threats that are specific to your security environment. Following are examples of the default risk notables that are packaged with Splunk Enterprise Security:
24 hour risk threshold
ATT&CK Tactic Threshold Exceeded over previous 7 days
The risk timeline modal cannot be selected unless all required fields are present within the risk notable event and the contributing risk events.
To create a custom risk notable, define the following fields in your risk notable. The following fields are common to the risk index and risk data model:
Field | Description |
---|---|
risk_object
|
The risk event identifier |
risk_object_type
|
The risk event identifier type |
risk_score
|
A number that represents the risk level of a specific risk object. |
risk_event_count
|
The total number of risk events associated with the notable event. This value is calculated using the notable search. |
drilldown_earliest
|
The start time used to identify the contributing events for the risk notable. This value is automatically populated using the info_min_time in the notable framework.
|
drilldown_latest
|
The end time used to identify the contributing events for the risk notable. This value is automatically populated using the info_max_time in the notable framework.
|
drilldown_search
|
The search used to identify the contributing events for the risk notable. This SPL must return a calculated_risk_score field with a non-null value. The calculated_risk_score field is common to the Risk data model.
|
Example: How to create custom risk notables
Following is an example of creating a risk notable. You must follow this format to use the Risk Timeline visualization.
Say, you have the following events in the Risk data model:
Risk object | Risk object type | Risk score |
---|---|---|
foo | user | 30 |
bar | user | 50 |
foo | user | 30 |
The underlying notable search must contain the following required fields:
risk_object
risk_object_type
risk_score
risk_event_count
drilldown_earliest
drilldown_latest
drilldown_search
Following is an example of the search for the risk notables with associated results:
Required fields that are not part of the Risk data model are calculated.
| tstats `summariesonly` sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count from datamodel=Risk.All_Risk by All_Risk.risk_object, All_Risk.risk_object_type
Results:
Risk object | Risk object type | Risk score | Risk event count |
---|---|---|---|
foo | user | 60 | 2 |
bar | user | 50 | 1 |
Though search results add the drilldown
fields automatically, you must specify a drilldown_search
when you configure the risk notable on the Correlation Search editor. Additionally, the notable drilldown_search
must contain the field calculated_risk_score
.
Following is an example of the drilldown_search
:
| from datamodel:"Risk.All_Risk" | search risk_object="$risk_object$" risk_object_type="$risk_object_type$"
As shown in this example, the calculated_risk_score
already exists in the Risk data model and is calculated automatically.
For more information on accessing the Risk Timeline visualization to analyze risk event notables and identify threat, see Analyze risk event notables to identify threat.
Overview of Incident Review in | Investigate a notable on Incident Review in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2
Feedback submitted, thanks!