Configure dispositions for findings in Splunk Enterprise Security
Configure a disposition for a finding or an investigation to classify the findings and investigations based on the threat level associated with them. Configuring dispositions helps to accelerate the triage process by accurately separating the false positives.
Add a disposition to a finding or an investigation
Adding a disposition helps to separate the false positives without impacting the status of the finding, such as New, In-progress, Closed, and so on. Add or edit the disposition for a finding or investigation by selecting the finding or investigation from the analyst queue and editing the details.
Follow these steps to add or edit the disposition of a finding or investigation in Splunk Enterprise Security:
- In Splunk Enterprise Security, select the Mission Control page.
- Go to the Analyst queue table that lists the findings and investigations.
- Select the finding or investigation to which you want to add a disposition to open the details panel.
- From the Disposition drop-down menu, select one of the following options:
- Undetermined: Finding does not have a valid disposition due to an error.
- True Positive - Suspicious Activity: Finding indicates suspicious threat activity.
- Benign Positive - Suspicious But Expected: Finding was initially suspicious but then classified as harmless and expected.
- False Positive - Incorrect Analytic Logic: Finding was initially suspicious but then classified as harmless due to incorrect analytic logic.
- False Positive - Inaccurate Data: Finding was initially suspicious but then classified as harmless due to inaccurate data.
- Other: A catchall category for findings that are not classified.
- Testing: Category for testing field inputs and drilldown searches.
- Select Save Changes.
The default option for the Disposition field is "Undetermined", which means that a disposition is not configured for the finding. You can also add a custom disposition to the finding or investigation.
Turn on or turn off dispositions
Follow these steps to turn on or turn off dispositions in Splunk Enterprise Security:
- In Splunk Enterprise Security, select Configure.
- Select Findings and investigations and then select Dispositions.
The Dispositions panel lists the available dispositions to categorize the findings as follows:
- Undetermined
- True Positive - Suspicious Activity
- Benign Positive - Suspicious But Expected
- False Positive - Incorrect Analytic Logic
- False Positive - Inaccurate Data
- (Optional)From the Status column, select Turn off to turn off a disposition. All available dispositions are turned on by default.
- Select the Required toggle to mandate entering a disposition before closing a finding.
Add custom dispositions to a finding or investigation
Follow these steps to create a custom disposition for findings and investigations:
- In Splunk Enterprise Security, select Configure.
- Select Findings and investigations, and then select Dispositions.
- Select +Disposition.
- In the New disposition dialog, enter a label for the new disposition.
- In the New Disposition dialog, enter a description for the new disposition.
- (Optional)Select Set as default if you want to configure this new disposition as the default.
As a security administrator, you can configure Splunk Enterprise Security so that a finding or an investigation cannot be closed without adding a disposition so that no findings or investigations are overlooked and each finding has a priority value associated with it. When attempting to close a finding, you might see errors when you try to change the status of a finding. Your SOC configuration setting might require you to add a disposition to the finding when making changes to its end status such as Closed or Resolved. - Select Save.
See also
For more information on status and dispositions for findings and investigations, see the product documentation:
Configure the status of findings and investigations in Splunk Enterprise Security | Investigate findings using drilldown searches and dashboards in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!