Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Analyze risk events using the Risk Timeline in Splunk Enterprise Security

Use the Risk Timeline to investigate the contributing risk events that created a risk notable.

Access the Risk Timeline

Access the Risk Timeline in one of the following ways on the Incident Review page:

  • Expand the risk notable and select the down arrow next to the Risk Object.
  • Go to the Notable Events table and select the number in the Risk Events column (which is an active link).

Identify the risk events associated with a risk notable

Follow these steps to identify the risk events associated with a risk notable so that you can isolate the threat to your security environment:

  1. From the Splunk Enterprise Security menu bar, select the Incident Review page.
  2. From the Type filter dropdown list, select Risk Notable to display the notables that have associated risk events.
  3. Expand the individual risk event to review the following fields:
    Field Description
    Risk Events Events that created the notable alert
    Risk Score Sum of all the scores associated with each of the contributing risk events
    For example, if there are 5 risk events and each risk event has a risk score of 10, 20, 30, 40, and 50, then the aggregated risk score is 150.
  4. Select the value of the Risk Events field in the row of the notable on the Incident Review page to open the Risk Event timeline and further investigate the risk events associated with the risk notable.
  5. Select the value in the Risk Events field for the notable that you want to investigate.
    Investigating a notable opens a window that contains two panels. The top panel displays a timeline visualization of the contributing risk events that created the notable. The bottom panel includes a table with detailed information on the contributing risk events.
  6. Sort the contributing risk events in the table based on any of the following fields:
    • Time
    • Risk Rule
    • Risk Score
  7. Expand the risk notable in the Contributing Risk Events table to further analyze the risk objects in your security environment.
    This includes information on the following fields:
    • Risk Object
    • Source
    • Risk Score
    • Risk Message
    • Saved Search Description
    • Threat Object
    • Threat Object Type
  8. Select View Contributing Events for information on the contributing events that triggered the risk event.
    You can also search for specific contributing risk events that created the notables through the filter.
  9. Correlate the risk events with dates and severity of the risk scores in the timeline visualization to identify threats.
    You can zoom in and out to narrow down the time of occurrence since the timeline visualization plots of the contributing risk events using time on the x-axis and the risk score on the y-axis.
  10. Select the color-coded icons in the timeline visualization to view more information on the risk event within a tool tip. The following list indicates additional details about the risk event:
    • Risk Score
    • Event Name
    • Description
    • Time
    • MITRE Tactic
    • MITRE Technique
  11. Select a notable on the timeline to highlight the associated row in the Contributing Risk Events table.
  12. Identify the risk object type using the icons displayed in the header of the timeline visualization.
    Following is a list of the available icons:
    • User
    • System
    • Network Artifacts
    • Other

You might see a small discrepancy between the event count on the Incident Review page and the event count on the risk window because a new search runs when you select the notable on the Incident Review page.

Potential display issues with the Risk Event Timeline

For Splunk Enterprise Security version 7.1.0 or higher, contributing risk events for risk notables might not be visible in the Risk Event Timeline if the risk notables are created before the upgrade and any one of the following conditions are met:

  • Entity zones are enabled
  • Changes are made to the entity zones that apply to existing risk notables
  • Asset and identity framework is disabled

For example:

If you have three entities such as Tom Black, tomb@splunk.com, and Tom's IP address (123.325.3456). All three are separate risk objects that might have different risk scores but point to same user. When you normalize these risk objects, all three risk objects can be grouped together, have the same risk score, and point to the same user. If you enable or disable the Asset and Identity framework or the CIM entity zones after normalizing the risk objects, the Risk Event Timeline might not display the three separate risk objects that existed prior to the risk normalization since it can only identity the normalized risk object to detect risk.

Say, the asset and identity framework was enabled and risk notables were created. However, upon upgrading to Splunk Enterprise Security version 7.1, the asset and identity framework was disabled using Configure > Data Enrichment>Asset and Identity Management > Correlation Setup > Disable for all sourcetypes.

Now, if you click on the Risk Event Timeline to search for a risk event, you might see the following error message "Risk event search did not return any results. Please verify notable drill down search."

Similarly, if the CIM entity zones were enabled and risk notables were created. However, upon upgrading to Splunk Enterprise Security version 7.1, the entity zones were reconfigured or disabled using Configure > Data Enrichment>Asset and Identity Management > Global Settings > Enable zones for assets and identities.

Now, if you click on the Risk Event Timeline to search for a risk event, you might see an error message "Risk event search did not return any results. Please verify notable drilldown search."

If you want to identify all the contributing risk events for a risk notable, you can run a search on the Risk index.

For example: Use the following search to identify the normalized risk objects (user) "pratik" without using the reference to entity zone.
.

| from datamodel Risk.All_Risk | search risk_object="pratik"


instead of:

| from datamodel Risk.All_Risk | search normalized_risk_object="pratik_sanfrancisco"

Using the search without any reference to the entity zone provides the list of normalized risk objects. However, this list of normalized risk objects that contribute to a risk notable is not rendered in the Risk Event Timeline.

For more information on entity zones, see Enable entity zones for assets and identities in Splunk Enterprise Security

See also

For more information about risk notables and the visualizations available for RBA in Splunk Enterprise Security, see the product documentation.

Create risk notables in Splunk Enterprise Security

Analyze risk notables using Threat Topology in Splunk Enterprise Security

How the Risk Timeline visualization works in Splunk Enterprise Security

Fields in a risk notable.

Last modified on 11 January, 2024
How the Risk Timeline visualization works in Splunk Enterprise Security   Analyze risk notables using Threat Topology in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters