Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Investigate risk notables that represent a threat

This is the last step in the Reduce alert volumes by triaging notables scenario.

Ram investigates the risk notables that get tagged as True Positive - Suspicious Activity using the timeline visualization on the Incident Review page and identifies the source of the security threat.

  1. From the Splunk Enterprise Security menu bar, Ram clicks the Incident Review page.
  2. From the Type list, Ram selects Risk Notable to display the notables that have associated risk events.
  3. Ram focuses only on the risk notables that have the Disposition tagged as True Positive - Suspicious Activity.
  4. Ram reviews the following two fields for the risk notables: Risk Events and Aggregated Score. The Aggregated Score is the sum of all the scores associated with each of the contributing risk events.
  5. Ram selects the value in the Risk Events field for the notable event that Ram wants to investigate. This opens a window that contains two panels. The top panel displays a timeline visualization of the contributing risk events that created the notable. The bottom panel includes a table with detailed information on the contributing risk events as shown in the following image:
    TimelineVisualizationRiskEvents
  6. Ram expands the risk notable in the Contributing Risk Events table for more details to further analyze the risk objects in the security environment.
    This includes information on the following fields:
    • Risk Object
    • Source
    • Risk Score
    • Risk Message
    • Saved Search Description
    • Threat Object
    • Threat Object Type
    These details provide Ram with further context to analyze the risk object, such as power shell, registry entries, commands, risk messages, user login information, or any other suspicious activity as shown in the following image:
    ContributingRiskEventsTable
  7. Ram correlates the risk events with dates and the severity of the risk scores in the timeline visualization to identify threats.
  8. Ram also zooms in and out to narrow down the time of occurrence since the timeline visualization plots the contributing risk events using time on the x-axis and the risk score on the y-axis. The timeline visualization also uses color codes on the icons that indicate the severity of the risk scores. Color coding risk score icons are consistent across the Contributing Risk Events table and the timeline visualization of the risk events. Ram knows that a lower risk score corresponds to a lighter color icon.
  9. Ram now identifies the risk object type through the icons displayed in the header of the timeline visualization. The icons include:
    • User
    • System
    • Network Artifacts
    • Other
    Using the filters, timeline, and other visualizations on the Incident Review page in Splunk Enterprise Security helps Ram to accelerate the triage process of notables during the investigation workflow.

Ram can now quickly identify the risk events that might be a threat to the SOC of Buttercup Games.

See also

For more information on investigating risk notables, see the product documentation:

Review risk notables to identify risk in Splunk Enterprise Security

Last modified on 02 June, 2023
Sort notables by disposition   Isolate user behaviors that pose threats with risk-based alerting

This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters