Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Add dispositions to risk notables

This is the first step in the Reduce alert volumes by triaging notables scenario.

Ram adds dispositions to the risk notables using the Incident Review dashboard to identify the threat level associated with the notable accurately. Adding a disposition helps to classify the notables, separate the false positives, and drill down on the notables that pose the highest threat. Taking this step helps Ram to accelerate the triage of notables during an investigation and respond to security threats faster.

  1. From the Splunk Enterprise Security menu bar, Ram selects the Incident Review page and reviews the table that lists the notables.
  2. Ram sorts the table to show only the risk notables and selects the check box beside the risk notables for which Ram wants to add a disposition.
  3. Ram selects Edit Selected to edit the notable that they selected.
  4. For each risk notable, Ram selects one of the options from the Disposition list as shown in the following image and then saves the changes.

AddDispositiontoNotable

Now Ram needs to investigate only risk notables that get tagged as True Positive - Suspicious Activity.

Next step

Sort notables by disposition

See also

For more information on triaging notables using dispositions, see the product documentation:

Triage notables on Incident Review in Splunk Enterprise Security in the Use Splunk Enterprise Security manual.

Last modified on 02 June, 2023
Reduce alert volumes by triaging notables   Sort notables by disposition

This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters