Splunk® Enterprise Security

Splunk Enterprise Security Tutorials

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Part 5: Review risk notables for triaging

Now, you can review some risk notables that gets generated by the default risk incident rules in Splunk Enterprise Security. Reviewing risk notables by drilling down on them using the Risk Event Timeline visualizations helps to triage and identify the risk notables that require further investigation.

Following are the default risk incident rules available in Splunk Enterprise Security:

  • Att&CK Tactic Threshold Exceeded For Object Over Previous 7 days
  • Risk Threshold Exceeded For Object Over 24 Hour Period

Review risk notables

Follow these steps to review risk notables generated by the default risk incident rules available in Splunk Enterprise Security:

  1. In Splunk Enterprise Security, select Configure, then select Content.
  2. Select Content Management.
  3. In Type, select Correlation Search.
  4. In App, select SA-ThreatIntelligence. This screen image shows how to search for the default risk incident rules.
  5. Select the default risk incident rule Risk Threshold Exceeded For Object Over 24 Hour Period to open it in the Correlation Search Editor. This screen image shows the default risk incident rules.
  6. From the Correlation Search Editor, copy the SPL search associated with this risk incident rule and paste it in the Search bar to review the results.

    | tstats `summariesonly` mode(All_Risk.risk_object) as risk_object, sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count,values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count, values(All_Risk.risk_object) as all_risk_objects, values(All_Risk.cim_entity_zone) as cim_entity_zone from datamodel=Risk.All_Risk by All_Risk.normalized_risk_object,All_Risk.risk_object_type | `drop_dm_object_name("All_Risk")` | eval "annotations.mitre_attack"='annotations.mitre_attack.mitre_technique_id', risk_threshold=100 | where risk_score > $risk_threshold$ | `get_risk_severity(risk_score)`

    You might find a few risk objects that might be worth investigating further due to their high risk score, risk event count, and the number of MITRE tactics associated with them. This screen image shows a risk object with a high risk score that requires further investigation.

Use Incident Review for additional context to triage incidents effectively

Follow these steps to triage incidents using the Incident Review page:

  1. In Splunk Enterprise Security, select Incident Review to display the list of risk notables.
  2. Expand the risk notable for additional context such as MITRE tactic and technique, associated risk objects, risk object priority, and risk score, and so on. This screen image shows how a risk notable gets expanded for additional context.
  3. Under Contributing Events, select View the individual Risk Attributions to drill down into the risk index. This screen image shows how to drill down on the risk index to view contributing events.

    If you want to display additional context, you can add more columns to search the risk index by modifying the drill-down search in the '''Adaptive Response Action''' of the Correlation Search Editor.


    This screen image shows how to modify the drill down search to customize the view of contributing risk events. Following is an example of what the search results look like with the improved drill-down: This screen image shows how the search results for a drill down search gets improved with additional context. The risk message in the table provides additional information that might be helpful for triaging.

Use the Risk Event timeline to drill down on risk events

Now, you can explore the risk notables generated by the default risk incident rule in the Risk Event Timeline visualization and sort them by time to review threat objects.

Follow these steps to examine the risk notables using the Risk Event Timeline:

  1. In Splunk Enterprise Security, go to Incident Review and select the drop down arrow next to the risk object in the Actions column. This screen image shows how to access the Risk Event Timeline.
  2. Select Risk Event Timeline. This screen image shows how to go to the Risk Event Timeline.
  3. Review the timeline visualization to sort the contributing risk events by time and review the associated threat objects. This screen image shows how to view events in the Risk Event Timeline.

See also

For more information on the Risk Event Timeline visualization, see the product documentation:

Next step

Now that you have reviewed a risk notable that might indicate threat, you can explore how to Suppress risk notables that are harmless.

Last modified on 14 June, 2023
Part 4: Review risk using the Risk Analysis dashboard   Part 6: Suppress risk notables to reduce alert noise

This documentation applies to the following versions of Splunk® Enterprise Security: 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters