Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

How the Risk Timeline visualization works in Splunk Enterprise Security

Use the Risk Timeline, a popup visualization, to drill down and analyze the correlation of the risk events with their associated risk score. You can also analyze the risk events associated with a risk notable by expanding the risk notable and reviewing specific fields. Additionally, there is a Contributing Events search link that is displayed on the Risk Event Timeline visualization.

The Risk Timeline visualization uses color codes on the icons to indicate the severity of the risk scores. The color coding of risk score icons is consistent across the Contributing Risk Events table and the Risk Timeline visualization of the risk events. A lighter color icon corresponds to a lower risk score.

You might not be able to use the Risk Timeline unless all required fields are present within the risk notable.

You can view a maximum of 100 risk events on the Contributing Risk Events table and the Risk Timeline visualization. If you have more than 100 risk events, the event count displays as 100+ on the header and includes a link to the search page that displays the complete list of risk events. If the number of risk events is less than 100, the event count displays as is.

The risk score in the Contributing Risk Events table and the Risk Timeline visualization is the calculated risk score of all events.

How the Risk Timeline gets populated

The Risk Timeline visualization gets populated by the risk_event_timeline_search macro in the macros.conf configuration file.

Following is an example of the risk_event_timeline_search macro:

[risk_event_timeline_search]
args       = normalized_risk_object, risk_object_type
definition = from datamodel:"Risk.All_Risk" 
| search normalized_risk_object="$normalized_risk_object$" risk_object_type="$risk_object_type$" 
| `get_correlations` 
| rename annotations.mitre_attack.mitre_tactic_id as mitre_tactic_id, annotations.mitre_attack.mitre_tactic as mitre_tactic, annotations.mitre_attack.mitre_technique_id as mitre_technique_id, annotations.mitre_attack.mitre_technique as mitre_technique


You can edit the risk_event_timeline_search macro in the macros.conf file to add filters or tokens based on your requirements. Go to Settings > Advanced search > Search macros to edit the macros.conf file. However, editing the risk_event_timeline_search macro can break the Risk Timeline visualization.

See also

For more information about risk notables and the visualizations available for RBA in Splunk Enterprise Security, see the product documentation.

Create risk notables in Splunk Enterprise Security

Analyze risk events using the Risk Timeline in Splunk Enterprise Security.

Analyze risk notables using Threat Topology in Splunk Enterprise Security

Fields in a risk notable.

Last modified on 12 February, 2024
Default risk factors in Splunk Enterprise Security   Analyze risk events using the Risk Timeline in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters