Splunk® Enterprise Security

Administer Splunk Enterprise Security

Managing Incident Review in Splunk Enterprise Security

detects patterns in your data and automatically reviews events for security-relevant incidents using correlation searches. When a correlation search detects a suspicious pattern, the correlation search creates an alert called a notable event.

The Incident Review dashboard surfaces all notable events, and categorizes them by potential severity so analysts can quickly triage, assign, and track issues.

How risk scores display in Incident Review

Risk scores do not display in Incident Review for every asset or identity. Only assets or identities (risk objects) that have a risk score and a risk object type of "system," "user," or "other" display in Incident Review. Risk scores only show for the following fields: orig_host, dvc, src, dest, src_user, and user. The risk score for an asset or identity might not match the score on the Risk Analysis dashboard. The risk score is a cumulative score for an asset or identity, rather than a score specific to an exact username.

  • For example, if a person has a username of "buttercup" that has a risk score of 40, and an email address of "buttercup@splunk.com" with a risk score of 60, and the identity lookup identifies that "buttercup" and "buttercup@splunk.com" belong to the same person, a risk score of 100 displays on Incident Review for both "buttercup" and "buttercup@splunk.com" accounts.
  • As another example, if an IP of has a risk score of 80 and an IP of has a risk score of 30, and the asset lookup identifies that a range of IPs " -" belong to the same asset, a risk score of 110 displays on Incident Review for both "" and "" IP addresses.

Risk scores are calculated for Incident Review using the Threat - Risk Correlation By <type> - Lookup Gen lookup generation searches. The searches are run every 30 minutes and focus on the last 7 days of risk events to update the risk_correlation_lookup lookup file. To see more frequent updates to the risk scores in Incident Review, update the cron_schedule of the saved searches.

Get started with risk based alerting using Splunk app for Fraud Analytics

The Splunk app for Fraud Analytics leverages the risk-based alerting (RBA) framework of Splunk Enterprise Security. Use this app to get started with RBA if you do not have prior knowledge of SPL. The app includes default correlation searches and dashboards that lets you view high fidelity actionable fraud alerts related to account take overs and new account fraud. You can display the fraud related alerts within the Incident Review panel of Splunk Enterprise Security. You can also drill down on the fraud analysis dashboards from fraud notables within the Incident Review panel of the app to identify fraud.

For more information on using the app, see Overview of the Splunk app for Fraud Analytics.

Notify an analyst of untriaged notable events

You can use a correlation search to notify an analyst if a notable event has not been triaged.

  1. Select Configure > Content > Content Management.
  2. Locate the Untriaged Notable Events correlation search using the filters.
  3. Modify the search, changing the notable event owner or status fields as desired.
  4. Set the desired alert action.
  5. Save the changes.
  6. Turn on the Untriaged Notable Events correlation search.
Last modified on 31 July, 2023
Administering Splunk Enterprise Security   Customize Incident Review in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters