Splunk® Enterprise Security

Use Splunk Enterprise Security

Investigate observables related to an investigation in Splunk Enterprise Security

In Splunk Enterprise Security, you can add threat intelligence data to enhance your security monitoring capabilities and enrich investigations with added context from observables. An observable is a piece of data indicating that an event has occurred or been observed on a computer system, network, or other digital entity. Splunk Enterprise Security record observables, which can be malicious or benign, as part of an investigation. With threat intelligence data, you can correlate known threats and indicators of suspicious activity with your events.

After you have access to threat intelligence data, you can start managing observables and reviewing their priority scores on the Intelligence tab of your investigation.

Filter and sort observables

Filter, sort, and search for observables on the Intelligence tab of your investigation in Splunk Enterprise Security. To manage observables, complete the following steps:

  1. In Splunk Enterprise Security, select Mission Control.
  2. Select an investigation from the analyst queue.
  3. Select View details.
  4. Select the Intelligence tab.
  5. To filter observables, select the column header of the field you want to filter by. You can sort and filter a field by selecting the down arrow icon ( down arrow icon ) in the column header or by entering a search in the observable search bar. Fields that aren't filterable don't have a filter menu with check boxes.
  6. In the filter menu, select a value. For some fields, such as Score, you can select multiple values, such as Medium and High.
  7. To remove a filter so that it no longer applies to observables, select the remove icon ( remove icon ) next to the respective filter, or select Clear all to remove them all.
  8. To sort observables, select the column header of the field you want to sort by. Then, select the up arrow icon ( up arrow icon for sorting ) or the down arrow icon ( down arrow icon for sorting ) to determine which observables appear first.

Review priority scores for observables

After you set up threat intelligence in Splunk Enterprise Security, select an observable in the Intelligence tab of your investigation to begin exploring potential pain points.

The list of observables includes those found in the following investigation fields:

  • host
  • orig_host
  • dvc
  • dest
  • src
  • src_user
  • user
  • cve
  • dest_dns
  • dest_ip
  • dest_nt_domain
  • dest_nt_host
  • dest_translated_ip
  • dns
  • dvc_dns
  • dvc_ip
  • dvc_nt_host
  • file_hash
  • file_name
  • file_path
  • hash
  • ip
  • nt_host
  • orig_host
  • orig_host_dns
  • orig_host_ip
  • orig_host_nt_host
  • path
  • recipient
  • sender
  • src_dns
  • src_ip
  • src_nt_domain
  • src_nt_host
  • src_user_email
  • src_user_identity
  • src_user_id
  • threat_ip
  • url
  • user_email
  • user_identity
  • user_id
  • threat_source_path
  • risk_object
  • risk_object_type
  • threat_object
  • threat_object_type
  • threat_match_value
  • threat_match_field

Some of these fields require other fields in order for intelligence data to appear in the intelligence tab of an investigation:

  • risk_object requires risk_object_type
  • threat_object requires threat_object_type
  • threat_match_value requires threat_match_field

Different intelligence sources often use different scoring systems, which makes it difficult to compare threats across sources. For example, one source might use the scale of 1 through 10 for severity, and another source might use text labels such as Benign or Malicious.

The threat intelligence system normalizes the different scores using a conversion table so that you can compare all scores across different intelligence sources. You can use these scores to evaluate the risk associated with an observable or risk event.

After you select an observable, you can find its passthru score and normalized score by expanding the Most recent reporting from each source section. The priority score is the badge that appears in the Summary of "<observable>" section.

The following table defines the scores associated with each observable.

Score Description
Passthru score The original score assigned to the observable by an external intelligence source.
Normalized score The score created by the threat intelligence system and assigned to the observable to show the relative severity of the observable. Normalized scoring automatically converts the passthru score from an intelligence source into a value that reflects the observable's severity on a standardized scale.
Priority score The score that aggregates the normalized scores from all the IOCs to create one score for that observable.

Some observables don't have any intelligence information. If you select an observable with no intelligence information, select Search to open the Search page and find related threat intelligence indicators.

Intelligence sources provide the tags and attributes for the observable in the Summary of "<observable>" section. However, you can't distinguish which specific intelligence source provided each tag or attribute.

See also

For more details on threat intelligence in Splunk Enterprise Security, see the product documentation:

Last modified on 17 December, 2024
Analyze risk with risk-based alerting in Splunk Enterprise Security   Available dashboards in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters