Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Reduce alert volumes by triaging notables

Buttercup Games, a fictitious company, runs an e-commerce site to sell its products. Ram, a security analyst at Buttercup Games, triages incoming notables from correlation searches and opens investigations to assess risk to the organization. Ram receives over 10,000 notables every day, 50% of which are false positives.

Despite Ram's best attempts to triage all notables and delegate the investigations, manually selecting notables for triage forces Ram to abandon certain notables that Ram deems less risky. Sifting through the high volume of notables causes Ram to burn out quickly. The high volume of excessive notables also results in slow threat detection and response time, which exposes Ram's organization to security threats.

Kay, the manager of the security operations center (SOC) at Buttercup Games and Ram's manager, wants to streamline the manual and monotonous triage process. Kay knows that Ram can overlook the risks in the SOC and asks Ram to use dispositions and other features available in Splunk Enterprise Security to triage notables and classify them. This process helps Ram to separate the false positives and focus on the notables that pose the highest threat.

This scenario describes how Ram uses dispositions to separate notables that are false positives from notables that represent real threats while reducing alert fatigue and risk in the SOC of Buttercup Games by taking these steps.

  1. Add dispositions to risk notables
  2. Sort notables by disposition
  3. Investigate risk notables that represent a threat
Last modified on 02 June, 2023
Adjust risk scores for specific objects   Add dispositions to risk notables

This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters