Analyze risk notables using Threat Topology in Splunk Enterprise Security

Use the Threat Topology visualization in Splunk Enterprise Security to isolate risk.

The Threat Topology visualization helps you to identify how the different risk objects that create a risk notable relate to each other. Investigating the potential connections between multiple risk objects that relate to a particular threat is especially useful when the aggregated risk score of the notable is high. You can display a maximum of 20 risk objects that pertain to a single threat object in the Threat Topology visualization.

Follow these steps to analyze risk notables using the Threat Topology visualization:

1. From the Splunk Enterprise Security menu bar, click the Incident Review page.
2. Filter by risk to display all the risk notables.
3. For any risk notable, select the number of risk events in the Risk Events column.
4. Select the Threat Topology option to display the threat topology visualization of the risk objects for the risk notable.
5. Select any risk object to highlight the related risk objects or threat objects.
6. Select a risk object to display details such as risk scores, priority, and so on.
   You can also select View in Risk Analysis to analyze the risk object in the Risk Analysis dashboard.
   You can also select View in Threat Activity to analyze the threat object in the Threat Activity dashboard.
7. Specify the time range to drill down further into the risk event created by the risk object.

See also

For more information about risk notables and the visualizations available for RBA in Splunk Enterprise Security, see the product documentation.

Create risk notables in Splunk Enterprise Security

Analyze risk events using the Risk Timeline in Splunk Enterprise Security.

How the Risk Timeline visualization works in Splunk Enterprise Security

Fields in a risk notable.