Splunk® Enterprise Security

Troubleshoot Splunk Enterprise Security

Troubleshoot the display of the timeline visualization

Issue

For Splunk Enterprise Security version 7.1.0 or higher, contributing intermediate findings for findings might not be visible in the Timeline visualization.

Cause

The findings were created before the upgrade and any one of the following conditions were true:

  • Entity zones are turned on.
  • Changes are made to the entity zones that apply to existing findings.
  • Asset and identity framework is turned off.

For example:

You have three entities such as Tom Black, tomb@splunk.com, and Tom's IP address (123.325.3456). All three are separate entities that might have different risk scores, but point to the same user. When you normalize these entities, all three entities can be grouped together, have the same risk score, and point to the same user. If you turn on or turn off the Asset and Identity framework or the CIM entity zones after normalizing the entities, the Timeline visualization might not display the three separate entities that existed prior to the risk normalization since it can only identify the normalized entity to detect risk.

Say, the asset and identity framework was turned on and findings were created. However, upon upgrading to Splunk Enterprise Security version 7.1, the asset and identity framework was disabled using the following steps:

  1. In Splunk Enterprise Security, select Configure.
  2. Select Data Enrichment and then select Asset and Identity Management.
  3. Select Correlation Setup and then select Disable for all sourcetypes.

Now, if you select the Timeline visualization to search for a risk event, you might see the following error message "Risk event search did not return any results. Please verify notable drill down search."

Similarly, if the CIM entity zones were enabled and findings were created. However, upon upgrading to Splunk Enterprise Security version 7.1, the entity zones were reconfigured or disabled. Now, if you select the Timeline visualization to search for an intermediate finding, you might see an error message "Risk event search did not return any results. Please verify finding drilldown search."

Solution

If you want to identify all the contributing intermediate findings for a finding, you can run a search on the risk index.

For example: Use the following search to identify the normalized entities (user) "pratik" without using the reference to entity zone.
.

| from datamodel Risk.All_Risk | search risk_object="pratik"


instead of:

| from datamodel Risk.All_Risk | search normalized_risk_object="pratik_sanfrancisco"

Using the search without any reference to the entity zone provides the list of normalized entities. However, this list of normalized entities that contribute to a finding is not rendered in the Timeline visualization.

Last modified on 30 August, 2024
Troubleshoot adaptive response relays from Splunk Cloud Platform Enterprise Security search head to an on-premises device   Troubleshoot pairing Splunk Enterprise Security with Splunk SOAR

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters