Troubleshoot the display of the timeline visualization
Issue
For Splunk Enterprise Security version 7.1.0 or higher, contributing intermediate findings for findings might not be visible in the Timeline visualization.
Cause
The findings were created before the upgrade and any one of the following conditions were true:
- Entity zones are turned on.
- Changes are made to the entity zones that apply to existing findings.
- Asset and identity framework is turned off.
For example:
You have three entities such as Tom Black, tomb@splunk.com, and Tom's IP address (123.325.3456). All three are separate entities that might have different risk scores, but point to the same user. When you normalize these entities, all three entities can be grouped together, have the same risk score, and point to the same user. If you turn on or turn off the Asset and Identity framework or the CIM entity zones after normalizing the entities, the Timeline visualization might not display the three separate entities that existed prior to the risk normalization since it can only identify the normalized entity to detect risk.
Say, the asset and identity framework was turned on and findings were created. However, upon upgrading to Splunk Enterprise Security version 7.1, the asset and identity framework was disabled using the following steps:
- In Splunk Enterprise Security, select Configure.
- Select Data Enrichment and then select Asset and Identity Management.
- Select Correlation Setup and then select Disable for all sourcetypes.
Now, if you select the Timeline visualization to search for a risk event, you might see the following error message "Risk event search did not return any results. Please verify notable drill down search."
Similarly, if the CIM entity zones were enabled and findings were created. However, upon upgrading to Splunk Enterprise Security version 7.1, the entity zones were reconfigured or disabled. Now, if you select the Timeline visualization to search for an intermediate finding, you might see an error message "Risk event search did not return any results. Please verify finding drilldown search."
Solution
If you want to identify all the contributing intermediate findings for a finding, you can run a search on the risk index.
For example:
Use the following search to identify the normalized entities (user) "pratik" without using the reference to entity zone.
.
| from datamodel Risk.All_Risk | search risk_object="pratik"
instead of:
| from datamodel Risk.All_Risk | search normalized_risk_object="pratik_sanfrancisco"
Using the search without any reference to the entity zone provides the list of normalized entities. However, this list of normalized entities that contribute to a finding is not rendered in the Timeline visualization.
Troubleshoot adaptive response relays from Splunk Cloud Platform Enterprise Security search head to an on-premises device | Troubleshoot pairing Splunk Enterprise Security with Splunk SOAR |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0
Feedback submitted, thanks!