Splunk® Enterprise Security

Use Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Risk Analysis

The Risk Analysis dashboard displays recent changes to risk scores and objects that have the highest risk scores. As an analyst, you can use this dashboard to assess relative changes in risk scores and examine the events that contribute to an object's risk score.

You can use the Risk Analysis dashboard to review changes to an object's risk score, determine the source of a risk increase, and decide if additional action is needed.

Risk Analysis dashboard filters

Use any of the available filters on the Risk Analysis dashboard to search and filter the results. A filter is applied to all panels in the dashboard, but not the key security indicators.

Filter by Description
Index Filter by the risk index or test index.
Source Filter by the correlation search that has risk modifiers.
Risk Object Type Filter by the type of risk object such as system, user, hash_values, network_artifacts, host_artifacts, tools, other.
Risk Object Select a risk object type and type a string to filter by risk object. Risk object type defaults to All.
Time Filter by time window such as Relative time, Real time, Date Range, Date & Time Range, and so on.

The Risk Object filter works by performing a reverse lookup against the asset and identity tables to find all fields that have been associated with the specified Risk Object. All associated objects found by the reverse lookup then display on the dashboard. For example, if you select a risk object type of system and type a Risk Object of 10.10.1.100, the reverse lookup against the assets table could return a MAC address. The Risk Analysis dashboard will update to display any risk score applied to the 10.10.1.100 address and a MAC address. If no match to another object was found in the asset table, only the IP address matches from the Risk Analysis data model will be displayed.

Risk Analysis dashboard panels

The Risk Analysis dashboard offers additional views to help analyze risk scoring changes and what caused the changes. Use the filters to refine the view to a specific object or group of objects. Use the drilldown to explore the data as events.

Panel Description
Key Indicators Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. See Key indicators in Splunk Enterprise Security.
Risk Score By Object Displays the objects with the highest risk score. The drilldown opens a search with the selected risk object and scoped to the selected time frame.
Most Active Sources Displays the correlation searches that contribute the highest amount of risk to any object. The drilldown opens a search with the selected source.
Risk Modifiers Over Time Displays the changes made to risk modifiers over time. Use the dashboard filters to scope the view to a specific object or group of objects. The drilldown opens a search on all events in the Risk data model scoped to the selected time frame.
Risk Score by Annotations Pie chart displays the risk score distribution and classifies them by annotations.
Risk Modifiers by Annotations Displays the changes to risk modifiers by annotations.
Risk Modifiers by Threat Object Displays the risk modifiers by threat objects.


Use behavioral analytics detections on test index

Using the Risk Analysis dashboard, you can specify whether the panels use test or risk index, not the detections.

Specifying the test index gives you the option of vetting the data that is best suited for surfacing threats effectively instead of experimenting on the production data in the risk index.

Follow these steps to use the test index for your detections:

  1. In your Splunk Enterprise Security app, go to Security Intelligence.
  2. Select Risk Analysis.
  3. In the Index field, select Risk or Test.

Review enabled detections

Using the Risk Analysis dashboard, you can identify the total number of detections that are enabled and point to the risk index. You can also review the total number of detections that are available in Splunk Enterprise Security as opposed to the number of detections that are pointed at the risk index. You can also enable or disable detections or point them to the test index as required.

Follow these steps to review the detections on the Risk Analysis dashboard:

  1. In the Splunk Enterprise Security app, go to Security Intelligence.
  2. Select Risk Analysis.
  3. Go to the key Indicator panel BA DETECTIONS IN THE RISK INDEX that displays the number of detections being used versus the number of available detections. For example: 24/74 that indicates 24 detections are being used out of 74 available detections.
  4. Select the key indicator such as 24/74, which opens a new tab in Content Management that displays the entire list of available detections and the detections that are already enabled on the risk index.
  5. Select Enable to the risk index to enable a detection on the risk index.
  6. Select Disable to disable the detection.
  7. Select Enable on the test index to enable a detection on the test index.

For more information on enabling behavioral analytics service on Splunk Enterprise Security, see Enable behavioral analytics service on Splunk Enterprise Security.

Review detailed information on risk annotations in context

On the Risk Analysis dashboard, you can review detailed information on risk annotations to get additional context that makes it easier to identify the root problem and detect security threats during the phases of a cybersecurity investigation.

Follow these steps to review detailed information on risk annotations in the context of an investigation:

  1. In the Splunk Enterprise Security app, go to Security Intelligence.
  2. Select Risk Analysis.
  3. Go to the table on Risk Modifiers by Annotations.
  4. Select an annotation such as T1059 to display all the information on that MITRE tactic or technique.

For more information on how risk annotations provide additional context during an investigation, see How risk annotations provide additional context in Splunk Enterprise Security.

View the Risk Event Timeline visualization

On the Risk Analysis dashboard, you can access the Risk Event Timeline visualization for risk objects to review historical events easily during an investigation.

Follow these steps to access the Risk Event Timeline visualization from the Risk Analysis dashboard:

  1. In the Splunk Enterprise Security app, go to Security Intelligence.
  2. Select Risk Analysis.
  3. Go to the panel Risk Score by Object,
  4. Select the risk object, which opens a new modal that displays the Risk Event Timeline visualization.

For more information on how the Risk Event Timeline visualization works in Splunk Enterprise Security, see How the Risk event Timeline visualization works in Splunk Enterprise Security.

Access threat object activity

From the Risk Analysis dashboard, you can navigate to activities related to specific threat objects and select a time range to isolate threats during an investigation.

Follow these steps to navigate to the Threat Activity dashboard from the Risk Analysis dashboard:

  1. In the Splunk Enterprise Security app, go to Security Intelligence.
  2. Select Risk Analysis.
  3. Go to the panel Risk Modifiers by Threat Object .
  4. Select any threat object. This displays the Threat Activity dashboard, which is populated with information on that specific threat object.
  5. Specify a time range on the Threat Activity dashboard if required. By default, the time range is set to when the investigation was initially opened and matches the time range used for the Risk Analysis dashboard.
Last modified on 06 September, 2023
User Activity Monitoring   Network dashboards

This documentation applies to the following versions of Splunk® Enterprise Security: 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters