Splunk® Enterprise Security

Use Cases

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Add dispositions to risk notables

Ram adds dispositions to the risk notables using the Incident Review dashboard to identify the threat level associated with the notable accurately. Adding a disposition helps to classify the notables, separate the false positives, and drill down on the notables that pose the highest threat. This helps Ram to accelerate the triage of notables during an investigation and respond to security threats faster.

  1. From the Splunk Enterprise Security menu bar, Ram clicks the Incident Review page and scrolls down to the table that lists the notables.
  2. Ram sorts them to bubble up only the risk notables and selects the checkbox beside the risk notables for which he wants to add a disposition.
  3. Ram clicks Edit Selected to edit the notable that he selected.
  4. For each risk notable, Ram selects one of the options from the Disposition drop-down list as shown in the following image and saves his changes.


Now Ram needs to investigate only risk notables that are tagged as True Positive - Suspicious Activity.

Last modified on 19 January, 2022

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.2.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters