Review risk notables to identify risk in Splunk Enterprise Security
Evaluate the risk associated with risk notables using the following methods:
- Use the drill down search to review risk notables
- Review risk notables from the same risk object
- Review risk notables with enrichment from entity zones
- View the MITRE ATT&CK posture for a risk notable
Use the drill down search to review risk notables
Follow these steps to correlate and aggregate the risk associated with assets and identities in Splunk Enterprise Security:
- In Splunk Enterprise Security, select Content > Content Management to open the risk incident rule in the correlation search editor.
- Go to Adaptive Response Actions > Notable.
- Using the Drill-down Search identify the following:
- All relevant risk events applied to the risk object including
risk message
,src
,dest
,user
, andrisk factors
- MITRE ATT&CK annotations
- Related risk objects associated with the risk events
Following is an example of a drill down search that you can use to identify risk events, MITRE ATT&CK annotations, risk objects, and so on:
| from datamodel:"Risk.All_Risk" | search risk_object="$risk_object$" | table _time, risk_object, risk_object_type, source, annotations.mitre_attack.mitre_tactic_id, annotations.mitre_attack.mitre_technique_id, dest, src, user, risk_message, calculated_risk_score, risk_factor* | rename annotations.mitre_attack.mitre_tactic_id as mitre_tactic_id, annotations.mitre_attack.mitre_technique_id as mitre_technique_id | eval risk_event_type="primary_object" | append [| from datamodel:"Risk.All_Risk" | search risk_object!=" $risk_object$" (dest="$risk_object$" OR src="$risk_object$" OR user="$risk_object$") | table _time, risk_object, risk_object_type, source, annotations.mitre_attack.mitre_tactic_id, annotations.mitre_attack.mitre_technique_id, dest, src, user, risk_message, calculated_risk_score, risk_factor* | rename annotations.mitre_attack.mitre_tactic_id as mitre_tactic_id, annotations.mitre_attack.mitre_technique_id as mitre_technique_id | eval risk_event_type="related_object" ]
These drill down searches help to investigate the risk object associated with a risk notable within the Incident Review page.
- All relevant risk events applied to the risk object including
Review risk notables from the same risk object
Follow these steps to surface high risk notables that come from the same risk object so that you can investigate connected behaviors and threats:
- Configure the
risk_object_type
field correctly so that Splunk Enterprise Security can normalize the assets and identities and group their risk events accurately.-
Ensure that the
risk_object_type
field of the risk event is asystem
so that Splunk Enterprise Security associates the risk object of a user's risk event with an asset. - Ensure that the
risk_object_type
field of the risk event is auser
so that Splunk Enterprise Security associates the risk object of a user's risk event with an identity.
-
Ensure that the
- Navigate to the Search page and search for
index = notable
to view the normalized risk object associated with a risk notable. - Navigate to the Incident Review page and expand the risk notable to view the most frequent risk objects from all the contributing risk events grouped together.
For more information on reviewing risk notables originating from the same risk object, see Risk notables from the same risk object.
Review risk notables enriched by entity zones
Follow these steps to surface high risk notables based on entity zones so that you can investigate threats effectively based on the additional context provided by the entity zones:
- In the Incident Review page, expand the risk notable to view the entity zone associated with a risk notable.
- Evaluate the risk associated with the risk notable if they pertain to the same entity zone.
When you upgrade to Splunk Enterprise Security version 7.1.0, contributing risk events for risk notables might not be visible in the Risk Event Timeline if the risk notables are created before the upgrade and any one of the following conditions are met:
- Entity zones are enabled
- Changes are made to the entity zones that apply to existing risk notables
- Asset and identity framework is disabled
Additionally, if you make changes to the entity zones or the assets and identity framework, you might cause a change to the risk object normalization, which might result in contributing risk events not being visible in the Risk Event Timeline visualization. This pertains to risk notables that were created prior to making the changes to the entity zones and assets and identity framework.
For more information on entity zones, see Enable entity zones for assets and identities in Splunk Enterprise Security
View the MITRE ATT&CK posture for a risk notable
View the MITRE ATT&CK posture within the context of a risk notable so that you can reduce the mean time to detection (MTTD) and mean time to repair (MTTR) and enhance the situational awareness in your security operations center (SOC).
Follow these steps to view the MITRE ATT&CK posture for a risk notable in context:
- On the Splunk Enterprise Security Search app, select Incident Review.
- Expand a risk notable form the list of risk notables.
- Scroll to MITRE ATT&CK Posture for this Notable to see the highlighted MITRE tactics and techniques that were detected for the risk object.
The MITRE matrix chart displays all the tactics and techniques for every risk event associated with the risk object for that risk notable.
You can also scroll to Additional Fields to see the list of MITRE ATT&CK tactics and techniques for the risk notable.
See also
For more information about risk notables and entity zones, see the product documentation.
Risk notables enriched by entity zones
Enable entity zones for assets and identities in Splunk Enterprise Security
After upgrading to Splunk Enterprise Security version 7.1.0
Risk notables in Splunk Enterprise Security | How risk annotations provide additional context in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2
Feedback submitted, thanks!