Reviewing findings using the risk timeline visualization in Splunk Enterprise Security
Use the Timeline visualization to drill down and analyze the relationship between intermediate findings and their associated risk score. You can also analyze the intermediate findings associated with a finding by expanding the finding and reviewing specific fields. Additionally, there is a Contributing intermediate findings search link displayed on the Timeline visualization.
The Timeline visualization uses color codes on the icons to indicate the severity of the risk scores. The color coding of risk score icons is consistent across the Contributing intermediate findings table and the Timeline visualization of the intermediate findings. A lighter color icon corresponds to a lower risk score.
You might not be able to use the Timeline visualization unless all required fields are present within the finding.
You can view a maximum of 100 intermediate findings on the Contributing intermediate findings table and the Timeline visualization. If you have more than 100 intermediate findings, the event count displays as 100+
on the header and includes a link to the search page that displays the complete list of intermediate findings. If the number of intermediate findings is less than 100, the event count displays as is.
The risk score in the Contributing intermediate findings table and the Timeline visualization is the calculated risk score of all events.
How the risk timeline visualization gets populated
The Timeline visualization gets populated by the risk_event_timeline_search
macro in the macros.conf
configuration file.
The following is an example of the risk_event_timeline_search
macro:
[risk_event_timeline_search] args = normalized_risk_object, risk_object_type definition = from datamodel:"Risk.All_Risk" | search normalized_risk_object="$normalized_risk_object$" risk_object_type="$risk_object_type$" | `get_correlations` | rename annotations.mitre_attack.mitre_tactic_id as mitre_tactic_id, annotations.mitre_attack.mitre_tactic as mitre_tactic, annotations.mitre_attack.mitre_technique_id as mitre_technique_id, annotations.mitre_attack.mitre_technique as mitre_technique
You can edit the risk_event_timeline_search
macro in the macros.conf
file to add filters or tokens based on your requirements. Go to Settings, select Advanced search, and then select Search macros to edit the macros.conf
file. However, editing the risk_event_timeline_search
macro can break the Timeline visualization.
See also
For more information on reviewing findings, see the product documentation:
Review risk-based findings in Splunk Enterprise Security | Access the risk timeline visualization to review findings in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!