Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. To resolve redirect errors, you must use the version selector on the ES documentation homepage to navigate between the versions.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Analyze risk notables using Threat Topology in Splunk Enterprise Security

Use the Threat Topology visualization in Splunk Enterprise Security to isolate risk and see the incident beyond the infected user, improve situational awareness, and a comprehensive view of the entire security operations center (SOC).

The Threat Topology visualization helps you to identify how the different risk objects that create a risk notable relate to each other. Investigating the potential connections between multiple risk objects that relate to a particular threat is especially useful when the aggregated risk score of the notable is high. You can display a maximum of 20 risk objects that pertain to a single threat object in the Threat Topology visualization.

All information on threat objects already exists in the risk notable. The Threat topology visualization only helps you to identify the other risk objects such as users and systems that are related to the threats, which created a specific risk notable.

Follow these steps to analyze risk notables using the Threat Topology visualization:

  1. From the Splunk Enterprise Security menu bar, click the Incident Review page.
  2. Filter by risk to display all the risk notables.
  3. For any risk notable, select the number of risk events in the Risk Events column.
  4. Select the Threat Topology option to display the threat topology visualization of the risk objects for the risk notable.
  5. Select any risk object to highlight the related risk objects or threat objects.
  6. Select a risk object to display details such as risk scores, priority, and so on.
    You can also select View in Risk Analysis to analyze the risk object in the Risk Analysis dashboard.
    You can also select View in Threat Activity to analyze the threat object in the Threat Activity dashboard.
  7. Specify the time range to drill down further into the risk event created by the risk object.

How the threat topology visualization gets populated

The Threat Topology visualization gets populated if risk events share the same threat object. However, you can also populate the threat topology visualization by configuring threat objects in the Risk Analysis adaptive response action.

  1. Open the correlation search in the Correlation Search Editor.
  2. Select Add New Response Action and select Risk Analysis.
  3. Enter the risk score that you want to assign to the risk object.
  4. Select a field from the notable event to apply the risk score to the Risk Object field.
  5. Select the Risk Object Type to which you want to apply the risk score.
  6. In the Threat Object field, add a threat object. For example: payload.
  7. In the Threat Object Type field, add the type of threat object. For example: file_hash

    8. These fields must exist in your correlation search.

    Populating the threat object fields connects the threat object to the risk object of your RBA detections and populates the Threat Topology visualization.


See also

For more information about risk notables and the visualizations available for RBA in Splunk Enterprise Security, see the product documentation.

Create risk notables in Splunk Enterprise Security

Analyze risk events using the Risk Timeline in Splunk Enterprise Security.

How the Risk Timeline visualization works in Splunk Enterprise Security

Fields in a risk notable.

Last modified on 08 September, 2023
Analyze risk events using the Risk Timeline in Splunk Enterprise Security   Managing risk using risk-based alerting in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2, 7.3.3

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters