Splunk® Enterprise Security

Administer Splunk Enterprise Security

Access the risk timeline visualization to review findings in Splunk Enterprise Security

Access the Timeline visualization to investigate the contributing intermediate findings that created a finding based on risk.

Use one of the following methods to access the Timeline visualization from the Analyst Queue on the Mission Control page in Splunk Enterprise Security:

  • Expand the finding and select the down arrow next to the Entity value.
  • Go to a specific finding and select the number in the Intermediate findings column, which is an active link.

Identify the intermediate findings associated with a finding

Follow these steps to identify the intermediate findings associated with a finding so that you can isolate the threat to your security environment:

  1. In the Splunk Enterprise Security app, go to the Analyst queue on the Mission Control page.
  2. In the Type column filter drop-down list, select Findings and select Apply to display the findings that have associated intermediate findings.
  3. Select the individual findings to review the following fields:
    Field Description
    Intermediate findings Events that created the finding
    Risk score Sum of all the scores associated with each of the contributing intermediate finding
    For example, if there are 5 intermediate findings and each intermediate finding has a risk score of 10, 20, 30, 40, and 50, then the aggregated risk score is 150.
  4. Select the value of the Intermediate findings field in the row of the finding on the Mission Control page to open the Timeline visualization and further investigate the intermediate findings associated with the finding.
  5. Select the value in the Intermediate findings field for the finding that you want to investigate.
    Investigating a finding opens a window that contains two panels. The top panel displays a timeline visualization of the contributing intermediate finding that created the finding. The bottom panel includes a table with detailed information on the contributing intermediate finding.
  6. Sort the contributing intermediate findings in the table based on any of the following fields:
    • Time
    • Risk rule
    • Risk score
  7. Expand the finding in the Contributing intermediate findings table to further analyze the entities in your security environment.
    This includes information on the following fields:
    • Entity
    • Source
    • Risk score
    • Risk message
    • Saved search description
    • Threat object
    • Threat object type
  8. Select View contributing intermediate findings for information on the contributing intermediate findings that triggered the event.
    You can also search for specific contributing intermediate findings that created the findings through the filter.
  9. Correlate the intermediate findings with dates and the severity of the risk scores in the Timeline visualization to identify threats.
    You can zoom in and out to narrow down the time of occurrence since the Timeline visualization plots of the contributing intermediate findings using time on the x-axis and the risk score on the y-axis.
  10. Select the color-coded icons in the Timeline visualization to view more information on the intermediate finding within a tooltip. The following list indicates additional details about the intermediate finding:
    • Risk score
    • Event name
    • Description
    • Time
    • MITRE tactic
    • MITRE technique
  11. Select a finding on the timeline to highlight the associated row in the Contributing intermediate findings table.
  12. Identify the entity type using the icons displayed in the header of the Timeline visualization.
    The following is a list of the available icons:
    • User
    • System
    • Network artifacts
    • Other


See also

For more information on reviewing findings, see the product documentation:

Last modified on 30 August, 2024
Reviewing findings using the risk timeline visualization in Splunk Enterprise Security   Review findings using the threat topology visualization in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters