Investigate risk notables using Threat Topology visualization
This is the last step in the Isolate user behaviors that pose threats with risk-based alerting scenario.
During an investigation, Ram also uses the Threat Topology visualization in Splunk Enterprise Security to isolate high risk users and identify how their behaviors might relate to each other by following these steps:
- From the Splunk Enterprise Security menu bar, Ram clicks the Incident Review page.
- Ram filters notables by "risk" Type to display all the risk notables.
- Ram selects the number of risk events in the Risk Events column for the risk notable 24 hour Risk Threshold Exceeded by Privileged User.
- Ram selects the Threat Topology option to display the connections between the risk events associated with the risk notable.
- Ram selects on risk objects to highlight the related risk objects or threat objects and displays details such as MITRE information, risk scores, priority, and so on.
- Ram also expands the risk notable to list the artifacts or risk objects associated with the risk notable.
- Ram selects Investigate all artifacts to display more context on the artifacts associated with the investigation such as Risk Scores, Related Notables, Notable Events, and System Vulnerabilities.
Using the Threat Topology visualization, Ram identifies how multiple risk objects point to a single threat object. This makes the risk notable more meaningful for Ram and helps to investigate why a specific threat is persisting across a group of risk objects and drill down into the issue.
| Use the Risk Analysis dashboard to monitor high risk user behavior | Additional resources |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2
Download manual
Feedback submitted, thanks!