Analyze risk notables using Threat Topology in Splunk Enterprise Security

Use the Threat Topology visualization in Splunk Enterprise Security to isolate risk and see the incident beyond the infected user, improve situational awareness, and a comprehensive view of the entire security operations center (SOC).

The Threat Topology visualization helps you to identify how the different risk objects that create a risk notable relate to each other. Investigating the potential connections between multiple risk objects that relate to a particular threat is especially useful when the aggregated risk score of the notable is high. You can display a maximum of 20 risk objects that pertain to a single threat object in the Threat Topology visualization.

All information on threat objects already exists in the risk notable. The Threat topology visualization only helps you to identify the other risk objects such as users and systems that are related to the threats, which created a specific risk notable.

Follow these steps to analyze risk notables using the Threat Topology visualization:

1. From the Splunk Enterprise Security menu bar, click the Incident Review page.
2. Filter by risk to display all the risk notables.
3. For any risk notable, select the number of risk events in the Risk Events column.
4. Select the Threat Topology option to display the threat topology visualization of the risk objects for the risk notable.
5. Select any risk object to highlight the related risk objects or threat objects.
6. Select a risk object to display details such as risk scores, priority, and so on.
   You can also select View in Risk Analysis to analyze the risk object in the Risk Analysis dashboard.
   You can also select View in Threat Activity to analyze the threat object in the Threat Activity dashboard.
7. Specify the time range to drill down further into the risk event created by the risk object.

How the threat topology visualization gets populated

The Threat Topology visualization gets populated if risk events share the same threat object. However, you can also populate the threat topology visualization by configuring threat objects in the Risk Analysis adaptive response action.

1. Open the correlation search in the Correlation Search Editor.
2. Select Add New Response Action and select Risk Analysis.
3. Enter the risk score that you want to assign to the risk object.
4. Select a field from the notable event to apply the risk score to the Risk Object field.
5. Select the Risk Object Type to which you want to apply the risk score.
6. In the Threat Object field, add a threat object. For example: payload.
7. In the Threat Object Type field, add the type of threat object. For example: file_hash

These fields must exist in your correlation search.

Populating the threat object fields connects the threat object to the risk object of your RBA detections and populates the Threat Topology visualization.

See also

For more information about risk notables and the visualizations available for RBA in Splunk Enterprise Security, see the product documentation.

Create risk notables in Splunk Enterprise Security

Analyze risk events using the Risk Timeline in Splunk Enterprise Security.

How the Risk Timeline visualization works in Splunk Enterprise Security

Fields in a risk notable.