Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

How the Risk Timeline visualization works in Splunk Enterprise Security

Use the Risk Timeline, a popup visualization, to drill down and analyze the correlation of the risk events with their associated risk score. You can also analyze the risk events associated with a risk notable by expanding the risk notable and reviewing specific fields. Additionally, there is a Contributing Events search link that is displayed on the Risk Event Timeline visualization.

The Risk Timeline visualization uses color codes on the icons to indicate the severity of the risk scores. The color coding of risk score icons is consistent across the Contributing Risk Events table and the Risk Timeline visualization of the risk events. A lighter color icon corresponds to a lower risk score.

You might not be able to use the Risk Timeline unless all required fields are present within the risk notable.

You can view a maximum of 100 risk events on the Contributing Risk Events table and the Risk Timeline visualization. If you have more than 100 risk events, the event count displays as 100+ on the header and includes a link to the search page that displays the complete list of risk events. If the number of risk events is less than 100, the event count displays as is.

The risk score in the Contributing Risk Events table and the Risk Timeline visualization is the calculated risk score of all events.

How the Risk Timeline gets populated

The Risk Timeline visualization gets populated by the risk_event_timeline_search macro in the macros.conf configuration file.

Following is an example of the risk_event_timeline_search macro: 

[risk_event_timeline_search]
args       = normalized_risk_object, risk_object_type
definition = from datamodel:"Risk.All_Risk" 
| search normalized_risk_object="$normalized_risk_object$" risk_object_type="$risk_object_type$" 
| `get_correlations` 
| rename annotations.mitre_attack.mitre_tactic_id as mitre_tactic_id, annotations.mitre_attack.mitre_tactic as mitre_tactic, annotations.mitre_attack.mitre_technique_id as mitre_technique_id, annotations.mitre_attack.mitre_technique as mitre_technique


You can edit the risk_event_timeline_search macro in the macros.conf file to add filters or tokens based on your requirements. Go to Settings > Advanced search > Search macros to edit the macros.conf file. However, editing the risk_event_timeline_search macro can break the Risk Timeline visualization.

See also

For more information about risk notables and the visualizations available for RBA in Splunk Enterprise Security, see the product documentation.

Create risk notables in Splunk Enterprise Security

Analyze risk events using the Risk Timeline in Splunk Enterprise Security.

Analyze risk notables using Threat Topology in Splunk Enterprise Security

Fields in a risk notable.

Last modified on 12 February, 2024
PREVIOUS
Default risk factors in Splunk Enterprise Security 		  NEXT
Analyze risk events using the Risk Timeline in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.0, 7.3.1

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters