Splunk® Enterprise Security

Administer Splunk Enterprise Security

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Use drilldown searches in Splunk Enterprise Security during investigations

Use drill-down searches in Splunk Enterprise Security to quickly pivot to a search related to a notable event. For more information on drill down searches, see Drill down on event details in the Search manual.

Configure multiple drill down searches for a notable

Configure multiple searches as drill-downs to investigate different scenarios during investigations or notable analysis. You can access these drill-down searches easily from the notable.

If you use the Correlation Search Editor in Splunk Enterprise Security version 7.2.0 or higher to edit correlation searches that include legacy parameters specific to your environment, these legacy parameters that might be referenced in the correlation search via macros will be deleted unless you upgraded those parameters using custom scripts.

Do not use configuration files to edit your drill-down searches manually when configuring multiple drill-down searches. If you are on on-prem user, you must use the UI to create drill-down searches. Otherwise, you might see some parsing errors. In such cases, fix the issues in the configuration files prior to using multiple drill-down searches for investigations.

If you configure multiple drill-down searches for a notable, the risk timeline uses only the first drill-down search for the visualization.

  1. In the Content Management page of Splunk Enterprise Security, select the correlation search to which you want to add a drill down search.
  2. Select Edit Selected to open the Correlation Search Editor.
  3. In the Correlation Search Editor, go to Adaptive Response Actions.
  4. Select Add new adaptive response action, then select Notable. Alternatively, you can edit the adaptive response action if it was added previously.
  5. Go to Drill-down search.
    The following screenshot displays an example of populating the UI fields to add a drill-down search to a notable:
    This screenshot displays how a specific field can be added to a drill-down search.
  6. Enter the Drill-down Name.
  7. Enter the Drill-down Search.

    The fields Drill-down Name and Drill-down search are required to configure a drill-down search.

  8. In the Drill-down earliest offset field, type the amount of time before the time of the triggering event to look for related events for the Contributing Events link in the notable event. For example, 2h to look for contributing events 2 hours before the triggering event.
  9. In the Drill-down latest offset field, type the amount of time after the time of the triggering event to look for related events for the Contributing Events link in the notable event. For example, 1h to look for contributing events 1 hour after the triggering event.
  10. Select +Drill-down search to add another drill-down search to the notable.

View drill-down searches associated with a notable

Follow these steps to view the drill-down searches associated with a notable:

  1. In Splunk Enterprise Security, select Content > Content Management to open the risk incident rule in the Correlation Search Editor.
  2. Go to Adaptive Response Actions > Notable.
  3. If a drill-down search exists for the notable, use the Drill-down Search to identify the following:
    • All relevant risk events applied to the risk object including risk message, src, dest, user, and risk factors
    • MITRE ATT&CK annotations
    • Related risk objects associated with the risk events

For more information on using drill-down searches to review risk associated with a notable, see Review risk notables to identify risk in Splunk Enterprise Security.

Alternatively, you can also use the following procedure to view the drill-down searches associated with a notable:

  1. In Splunk Enterprise Security, go to Incident Review.
  2. Expand the risk notable for which you want to view the drill down searches.
  3. Go to Drill-down search and select the drill down search.

View drill down searches in the Risk Event Timeline

You can view the drill down searches associated with a risk notable in the Risk Event Timeline visualization for a risk notable. When expanding risk incident rules in the Risk Event Timeline view, click on a drilldown field named Contributing events: View contributing events.

When you select the Risk Event count on the Incident Review page, drill-down searches for each individual event are displayed. However, only the first drill-down search for the notable is used to load the events listed in the Risk Event Timeline.

If you configured multiple drill-down searches for a notable, the risk timeline uses only the first drill-down search for the visualization.

For more information on the Risk Event Timeline visualization, see Analyze risk events using the Risk Timeline in Splunk Enterprise Security.

See also

To learn more about drill-down searches, see the product documentation:

Use drilldown for dashboard interactivity in the Dashboard and Visualizations manual

Drill down on event details in the Search manual.

Last modified on 30 November, 2023
PREVIOUS
Manage investigations in Splunk Enterprise Security 		  NEXT
Administer and customize the investigation workbench

This documentation applies to the following versions of Splunk® Enterprise Security: 7.2.0

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters