Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Investigate risk notables using Threat Topology visualization

This is the last step in the Isolate user behaviors that pose threats with risk-based alerting scenario.

During an investigation, Ram also uses the Threat Topology visualization in Splunk Enterprise Security to isolate high risk users and identify how their behaviors might relate to each other by following these steps:

  1. From the Splunk Enterprise Security menu bar, Ram clicks the Incident Review page.
  2. Ram filters notables by "risk" Type to display all the risk notables.
  3. Ram selects the number of risk events in the Risk Events column for the risk notable 24 hour Risk Threshold Exceeded by Privileged User.
  4. Ram selects the Threat Topology option to display the connections between the risk events associated with the risk notable.
  5. Ram selects on risk objects to highlight the related risk objects or threat objects and displays details such as MITRE information, risk scores, priority, and so on.
  6. Ram also expands the risk notable to list the artifacts or risk objects associated with the risk notable.
  7. Ram selects Investigate all artifacts to display more context on the artifacts associated with the investigation such as Risk Scores, Related Notables, Notable Events, and System Vulnerabilities.

Using the Threat Topology visualization, Ram identifies how multiple risk objects point to a single threat object. This makes the risk notable more meaningful for Ram and helps to investigate why a specific threat is persisting across a group of risk objects and drill down into the issue.

Last modified on 02 June, 2023
Use the Risk Analysis dashboard to monitor high risk user behavior   Additional resources

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters