Access the risk timeline visualization to review findings in Splunk Enterprise Security
Access the Timeline visualization to investigate the contributing intermediate findings that created a finding based on risk.
Use one of the following methods to access the Timeline visualization from the Analyst Queue on the Mission Control page in Splunk Enterprise Security:
- Expand the finding and select the down arrow next to the Entity value.
- Go to a specific finding and select the number in the Intermediate findings column, which is an active link.
Identify the intermediate findings associated with a finding
Follow these steps to identify the intermediate findings associated with a finding so that you can isolate the threat to your security environment:
- In the Splunk Enterprise Security app, go to the Analyst queue on the Mission Control page.
- In the Type column filter drop-down list, select Findings and select Apply to display the findings that have associated intermediate findings.
- Select the individual findings to review the following fields:
Field Description Intermediate findings Events that created the finding Risk score Sum of all the scores associated with each of the contributing intermediate finding
For example, if there are 5 intermediate findings and each intermediate finding has a risk score of 10, 20, 30, 40, and 50, then the aggregated risk score is 150. - Select the value of the Intermediate findings field in the row of the finding on the Mission Control page to open the Timeline visualization and further investigate the intermediate findings associated with the finding.
- Select the value in the Intermediate findings field for the finding that you want to investigate.
Investigating a finding opens a window that contains two panels. The top panel displays a timeline visualization of the contributing intermediate finding that created the finding. The bottom panel includes a table with detailed information on the contributing intermediate finding. - Sort the contributing intermediate findings in the table based on any of the following fields:
- Time
- Risk rule
- Risk score
- Expand the finding in the Contributing intermediate findings table to further analyze the entities in your security environment.
This includes information on the following fields:- Entity
- Source
- Risk score
- Risk message
- Saved search description
- Threat object
- Threat object type
- Select View contributing intermediate findings for information on the contributing intermediate findings that triggered the event.
You can also search for specific contributing intermediate findings that created the findings through the filter. - Correlate the intermediate findings with dates and the severity of the risk scores in the Timeline visualization to identify threats.
You can zoom in and out to narrow down the time of occurrence since the Timeline visualization plots of the contributing intermediate findings using time on the x-axis and the risk score on the y-axis. - Select the color-coded icons in the Timeline visualization to view more information on the intermediate finding within a tooltip.
The following list indicates additional details about the intermediate finding:
- Risk score
- Event name
- Description
- Time
- MITRE tactic
- MITRE technique
- Select a finding on the timeline to highlight the associated row in the Contributing intermediate findings table.
- Identify the entity type using the icons displayed in the header of the Timeline visualization.
The following is a list of the available icons:- User
- System
- Network artifacts
- Other
See also
For more information on reviewing findings, see the product documentation:
- Create finding groups in Splunk Enterprise Security
- Manage findings included in investigations in Splunk Enterprise Security
- Review findings using the threat topology visualization in Splunk Enterprise Security
- Review findings using the risk timeline visualization in Splunk Enterprise Security
- Enable entity zones for assets and identities in Splunk Enterprise Security
Reviewing findings using the risk timeline visualization in Splunk Enterprise Security | Review findings using the threat topology visualization in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!