Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Classify risk objects for targeted threat investigation in Splunk Enterprise Security

Visually classify the risk objects based on risk modifiers, risk scores, MITRE ATT&CK techniques, and tactics using the Workbench-Risk (risk_object) as Asset workflow action panels or the Risk tab in Workbench for an investigation. The Workbench-Risk (risk_object) as Asset panels and the Risk tab in Workbench helps to investigate risk objects so that you might identify specific workflow actions and streamline your threat investigation process.

When risk incident rules generate an excessive number of notable events, it might be difficult to isolate the root problem in an investigation.

Risk workbench panels help in threat investigation by:

  • providing risk-based insight into the severity of the events occurring in your system or network
  • helping to prioritize notable events
  • assigning targeted notable events to security analysts for review
  • examining specific notable annotations for investigations

Access the Embedded Risk Workbench panels

For a single artifact, use the Workbench-Risk (risk_object) as Asset workflow action panels to display the risk modifiers, risk scores, and pie charts for MITRE ATT&CKS by following these steps:

  1. From the Splunk Enterprise Security menu, select Incident Review.
    This displays the notable events for the security domains.
  2. Expand the notable event.
  3. Select Actions next to the Risk Object, Destination, User, or Source fields to display the Workbench-Risk (risk_object) as Asset workflow action.

    The '''dest''', '''user''', and '''src''' fields function as risk objects during the investigation process.

  4. Select the Workbench-Risk (risk_object) as Asset action.
    This opens the Embedded Workbench panel that displays the following items:
    • Recent risk modifiers applied to the risk objects.
    • Risk scores by artifact and trends of risk modifiers over time.
    • Pie chart displaying the distribution of artifacts by MITRE ATT&CK techniques like Driven by Compromise, Account Manipulation, and so on.
    • Pie chart displaying the distribution of artifacts by MITRE ATT&CK tactics like discovery, persistence, defense evasion, and so on.
    • Time chart displaying the MITRE ATT&CK Techniques Over Time.
    • Time chart displaying the MITRE ATT&CK Tactics Over Time.
  5. Use the visuals and charts to investigate risk objects for a single artifact.

Access the Risk tab in Workbench

For a single or multiple artifacts in an investigation, use the Risk tab in Workbench to display the risk modifiers, risk scores, and graph charts for MITRE ATT&CKS by following these steps:

  1. From the Enterprise Security menu, select Investigation, which displays a list of open investigations.
  2. Select an open investigation to display the Workbench panel.
  3. Select Add Artifact to add artifacts (assets or identities) to your investigation.
    This opens the Add Artifacts dialog, which you might use to add a single or multiple artifacts to your investigation.
  4. Select Add To Scope after specifying the details for the artifact, which displays the list of artifacts in your investigation.
  5. Select Explore.
  6. Select the Risk tab in Workbench to display the following items:
    • Risk scores for the risk object.
    • Recent risk modifiers applied to the risk objects.
    • Graph charts displaying the distribution of artifacts by MITRE ATT&CK techniques. For example: Driven by Compromise, Account Manipulation, and so on.
    • Graph charts displaying the distribution of artifacts by MITRE ATT&CK tactics. For example: discovery, persistence, defense evasion.
  7. Use the visuals and charts to investigate risk objects for a single artifact or multiple artifacts.

See also

For more information on investigations in Splunk Enterprise Security, see the product documentation.

Investigations in Splunk Enterprise Security in Use Splunk Enterprise Security. .

Last modified on 12 April, 2023
How risk annotations provide additional context in Splunk Enterprise Security   Create risk factors to adjust risk scores in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters