Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Analyze risk notables using Threat Topology in Splunk Enterprise Security

Use the Threat Topology visualization in Splunk Enterprise Security to isolate risk.

The Threat Topology visualization helps you to identify how the different risk objects that create a risk notable relate to each other. Investigating the potential connections between multiple risk objects that relate to a particular threat is especially useful when the aggregated risk score of the notable is high. You can display a maximum of 20 risk objects that pertain to a single threat object in the Threat Topology visualization.

Follow these steps to analyze risk notables using the Threat Topology visualization:

  1. From the Splunk Enterprise Security menu bar, click the Incident Review page.
  2. Filter by risk to display all the risk notables.
  3. For any risk notable, select the number of risk events in the Risk Events column.
  4. Select the Threat Topology option to display the threat topology visualization of the risk objects for the risk notable.
  5. Select any risk object to highlight the related risk objects or threat objects.
  6. Select a risk object to display details such as risk scores, priority, and so on.
    You can also select View in Risk Analysis to analyze the risk object in the Risk Analysis dashboard.
    You can also select View in Threat Activity to analyze the threat object in the Threat Activity dashboard.
  7. Specify the time range to drill down further into the risk event created by the risk object.

See also

For more information about risk notables and the visualizations available for RBA in Splunk Enterprise Security, see the product documentation.

Create risk notables in Splunk Enterprise Security

Analyze risk events using the Risk Timeline in Splunk Enterprise Security.

How the Risk Timeline visualization works in Splunk Enterprise Security

Fields in a risk notable.

Last modified on 28 March, 2023
PREVIOUS
Analyze risk events using the Risk Timeline in Splunk Enterprise Security
  NEXT
Managing risk using risk-based alerting in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters