Splunk® Enterprise Security

Splunk Enterprise Security Tutorials

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Part 4: Review risk using the Risk Analysis dashboard

The Risk Analysis dashboard displays risk-related information for your security operations center (SOC).

Follow these steps to use the Risk Analysis dashboard to review the risk in your environment:

  1. In Splunk Enterprise Security, go to Security Intelligence.
  2. Select Risk Analysis.
  3. Select All Time.
  4. Explore the Risk Analysis dashboard to identify the risk objects with excessively high-risk scores that you might want to investigate further. This screen image shows the Risk Anlaysis dashboard to identify the risk objects with excessively high risk scores.
  5. Review the relationships between risk scores, risk objects, and count to get deeper insight into the behavioral context of the risk activity. This screen image shows the relationships between risk scores, risk objects, and count to get context of the risk activity.
  6. Review the threat objects and risk objects by drilling down based on their time of occurrence and establish patterns in the adversarial activity. This screen image shows the threat objects and risk objects through drill down.
  7. Review the risk objects that have a high risk score or multiple tactics associated with them. This screen image shows the risk objects that have a high risk score or multiple tactics.
  8. Review the dashboard to identify risk notables that you might want to suppress such as system level alerts. This screen image shows the risk notables that you might want to suppress.

See also

For more information on the Risk Analysis dashboard, see the product documentation:

Risk Analysis dashboard in Use Splunk Enterprise Security manual.

Next step

Now that you have learned how to use the Risk Analysis dashboard, you can explore how to review risk notables for triaging.

Last modified on 14 June, 2023
Part 3: Create a risk incident rule   Part 5: Review risk notables for triaging

This documentation applies to the following versions of Splunk® Enterprise Security: 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters