Classify risk objects for targeted threat investigation in Splunk Enterprise Security

Visually classify the risk objects based on risk modifiers, risk scores, MITRE ATT&CK techniques, and tactics using the Workbench-Risk (risk_object) as Asset workflow action panels or the Risk tab in Workbench for an investigation. The Workbench-Risk (risk_object) as Asset panels and the Risk tab in Workbench helps to investigate risk objects so that you might identify specific workflow actions and streamline your threat investigation process.

When risk incident rules generate an excessive number of notable events, it might be difficult to isolate the root problem in an investigation.

Risk workbench panels help in threat investigation by:

• providing risk-based insight into the severity of the events occurring in your system or network
• helping to prioritize notable events
• assigning targeted notable events to security analysts for review
• examining specific notable annotations for investigations

Access the Embedded Risk Workbench panels

For a single artifact, use the Workbench-Risk (risk_object) as Asset workflow action panels to display the risk modifiers, risk scores, and pie charts for MITRE ATT&CKS by following these steps:

1. From the Splunk Enterprise Security menu, select Incident Review.
   This displays the notable events for the security domains.
2. Expand the notable event.
3. Select Actions next to the Risk Object, Destination, User, or Source fields to display the Workbench-Risk (risk_object) as Asset workflow action.

   The '''dest''', '''user''', and '''src''' fields function as risk objects during the investigation process.

4. Select the Workbench-Risk (risk_object) as Asset action.
   This opens the Embedded Workbench panel that displays the following items:
   • Recent risk modifiers applied to the risk objects.
   • Risk scores by artifact and trends of risk modifiers over time.
   • Pie chart displaying the distribution of artifacts by MITRE ATT&CK techniques like Driven by Compromise, Account Manipulation, and so on.
   • Pie chart displaying the distribution of artifacts by MITRE ATT&CK tactics like discovery, persistence, defense evasion, and so on.
   • Time chart displaying the MITRE ATT&CK Techniques Over Time.
   • Time chart displaying the MITRE ATT&CK Tactics Over Time.
5. Use the visuals and charts to investigate risk objects for a single artifact.

Access the Risk tab in Workbench

For a single or multiple artifacts in an investigation, use the Risk tab in Workbench to display the risk modifiers, risk scores, and graph charts for MITRE ATT&CKS by following these steps:

1. From the Enterprise Security menu, select Investigation, which displays a list of open investigations.
2. Select an open investigation to display the Workbench panel.
3. Select Add Artifact to add artifacts (assets or identities) to your investigation.
   This opens the Add Artifacts dialog, which you might use to add a single or multiple artifacts to your investigation.
4. Select Add To Scope after specifying the details for the artifact, which displays the list of artifacts in your investigation.
5. Select Explore.
6. Select the Risk tab in Workbench to display the following items:
   
   • Risk scores for the risk object.
   • Recent risk modifiers applied to the risk objects.
   • Graph charts displaying the distribution of artifacts by MITRE ATT&CK techniques. For example: Driven by Compromise, Account Manipulation, and so on.
   • Graph charts displaying the distribution of artifacts by MITRE ATT&CK tactics. For example: discovery, persistence, defense evasion.
7. Use the visuals and charts to investigate risk objects for a single artifact or multiple artifacts.

See also

For more information on investigations in Splunk Enterprise Security, see the product documentation.

Investigations in Splunk Enterprise Security in Use Splunk Enterprise Security. .