Splunk® Enterprise Security

Administer Splunk Enterprise Security

Reviewing findings using the risk timeline visualization in Splunk Enterprise Security

Use the Timeline visualization to drill down and analyze the relationship between intermediate findings and their associated risk score. You can also analyze the intermediate findings associated with a finding by expanding the finding and reviewing specific fields. Additionally, there is a Contributing intermediate findings search link displayed on the Timeline visualization.

The Timeline visualization uses color codes on the icons to indicate the severity of the risk scores. The color coding of risk score icons is consistent across the Contributing intermediate findings table and the Timeline visualization of the intermediate findings. A lighter color icon corresponds to a lower risk score.

You might not be able to use the Timeline visualization unless all required fields are present within the finding.

You can view a maximum of 100 intermediate findings on the Contributing intermediate findings table and the Timeline visualization. If you have more than 100 intermediate findings, the event count displays as 100+ on the header and includes a link to the search page that displays the complete list of intermediate findings. If the number of intermediate findings is less than 100, the event count displays as is.

The risk score in the Contributing intermediate findings table and the Timeline visualization is the calculated risk score of all events.

How the risk timeline visualization gets populated

The Timeline visualization gets populated by the risk_event_timeline_search macro in the macros.conf configuration file.

The following is an example of the risk_event_timeline_search macro:

[risk_event_timeline_search]
args       = normalized_risk_object, risk_object_type
definition = from datamodel:"Risk.All_Risk" 
| search normalized_risk_object="$normalized_risk_object$" risk_object_type="$risk_object_type$" 
| `get_correlations` 
| rename annotations.mitre_attack.mitre_tactic_id as mitre_tactic_id, annotations.mitre_attack.mitre_tactic as mitre_tactic, annotations.mitre_attack.mitre_technique_id as mitre_technique_id, annotations.mitre_attack.mitre_technique as mitre_technique


You can edit the risk_event_timeline_search macro in the macros.conf file to add filters or tokens based on your requirements. Go to Settings, select Advanced search, and then select Search macros to edit the macros.conf file. However, editing the risk_event_timeline_search macro can break the Timeline visualization.

See also

For more information on reviewing findings, see the product documentation:

Last modified on 30 August, 2024
Review risk-based findings in Splunk Enterprise Security   Access the risk timeline visualization to review findings in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters