Investigate findings using drilldown searches and dashboards in Splunk Enterprise Security
Use drill-down searches in Splunk Enterprise Security to quickly pivot to a search related to a finding.
Additionally, you can drill-down to multiple dashboards if you want to view more than one drill-down search for a finding during your investigation. You can configure drill-down dashboards for a finding using the Create a finding adaptive response action in the detection editor. Drill-down dashboards provide additional context to the findings. You can access all the configured drill-down dashboards for a finding from the Mission Control page or from the Timeline visualization.
An error message might be displayed if you do not have the required permissions to access the dashboards or the dashboard no longer exists. You can also edit or delete the drilldown dashboards to reduce visual clutter if they are no longer needed.
Configure multiple drill down searches for a finding
Configure multiple searches as drill-downs to investigate different scenarios during investigations or when reviewing findings. You can access these drill-down searches easily from the finding.
If you use the detection editor in Splunk Enterprise Security version 7.2.0 or higher to edit detection SPLs that include legacy parameters specific to your environment, these legacy parameters that might be referenced in the detection via macros are deleted unless you upgraded those parameters using custom scripts.
Do not use configuration files to edit your drill-down searches manually when configuring multiple drill-down searches. If you are an on-prem user, you must use the UI to create drill-down searches. Otherwise, you might see some parsing errors. In such cases, fix the issues in the configuration files prior to using multiple drill-down searches for investigations.
If you configure multiple drill-down searches for a finding, the Timeline visualization uses only the first drill-down search for the visualization.
- In Splunk Enterprise Security, go to the Mission Control page.
- Select Security content and then select Detections to which you want to add a drill down search.
- Open the detection in the detection editor.
- In the detection editor, go to Adaptive response.
- Select Add new response action, then select Create a finding. Alternatively, you can edit the adaptive response action if it was added previously.
- Go to the Drill-down search section and select +Add drill-down search.
The following screenshot displays an example of populating the UI fields to add a drill-down search to a finding: - Enter the Drill-down name.
- Enter the Drill-down search.
The fields
Drill-down name
andDrill-down search
are required to configure a drill-down search. - In the Drill-down earliest offset field, enter the amount of time before the time of the triggering event to look for related events for the Contributing intermediate findings link in the finding. For example, 2h to look for contributing intermediate findings 2 hours before the triggering event.
- In the Drill-down latest offset field, enter the amount of time after the time of the triggering event to look for related events for the Contributing intermediate findings link in the finding. For example, 1h to look for contributing intermediate findings 1 hour after the triggering event.
- Select +Drill-down search to add another drill-down search to the finding.
View drill-down searches associated with a finding
Follow these steps to view the drill-down searches associated with a finding:
- In Splunk Enterprise Security, select Security content.
- Select Detections and open the specific detection in the detection editor.
- Go to Adaptive response actions and then select Create a finding.
- If a drill-down search exists for the finding, use the Drill-down search to identify the following:
- All relevant intermediate findings applied to the entity including
risk message
,src
,dest
,user
, andrisk factors
- MITRE ATT&CK annotations
- Related entities associated with the intermediate findings
- All relevant intermediate findings applied to the entity including
Alternatively, you can also use the following procedure to view the drill-down searches associated with a finding:
- In Splunk Enterprise Security, go to the Mission Control page.
- Expand the finding for which you want to view the drill-down searches.
- Go to Drill-down search and select the drill down search.
View drill down searches in the timeline visualization
You can view the drill down searches associated with a finding in the Timeline visualization. When viewing the Timeline visualization, select the drilldown field named Contributing intermediate findings: View contributing intermediate findings.
When you select the intermediate findings count on the Mission Control page, the drill-down searches for each individual event are displayed. However, only the first drill-down search for the finding is used to load the events listed in the Timeline visualization.
If you configured multiple drill-down searches for a finding, the timeline uses only the first drill-down search for the visualization.
Configure drill-down dashboards for a finding
To configure or edit drill-down dashboards, you must have the capability to view the specific dashboard and edit detections. To view the drill-down dashboard from the Mission Control page, you must have viewing permissions for the specific dashboard.
Follow these steps to configure a drill-down dashboard for a finding:
- In Splunk Enterprise Security, go to the detection editor.
- In the Adaptive response action section, expand Create a finding.
- Scroll to Drill-down dashboards and select + Add drill-down dashboard.
- Select a dashboard from the drop-down menu. This is a required field. For example: DA-ESS AccessProtection/access_anomalies
- Enter a name for the drill-down dashboard. This is a required field. For example: View the individual risk attributes.
- (Optional) Select Edit Tokens to open the Edit Tokens dialog and edit the dashboard.
- Enter the Token Name.
Refer to the URL of the dashboard when you configure the drill down dashboard to find the token name. - Enter Token Value as
$<token value>$
.
You can add multiple tokens by selecting +Drill-down Token in the Edit Tokens dialog box. - Select Save to save the configured dashboards.
You can configure multiple drill-down dashboards for a finding by selecting + Add drill-down dashboard as required.
View drill-down dashboards for a finding
Prerequisite Ensure that you have access to the dashboard. Otherwise, you might get a 404 error.
To configure or edit drill-down dashboards, you must have the capability to view the specific dashboard and edit detections. To view the drill-down dashboard from the Mission Control page, you must have viewing permissions for the specific dashboard.
Follow these steps to view configured drill-down dashboards for a finding on the Mission Control page:
- In Splunk Enterprise Security, go to the Mission Control page.
- Expand the finding and scroll to the Drill-down dashboards section.
- Select the dashboard link to view the drill-down dashboard.
Follow these steps to view configured drill-down dashboards on the Timeline visualization:
- Access the Timeline visualization in Splunk Enterprise Security.
- Under Contributing intermediate findings, expand the finding and scroll to Drill-down dashboards.
- Select the dashboard link to view the drill-down dashboard.
Delete drill-down dashboards associated with a finding
Follow these steps to delete a configured drill-down dashboard for a finding to reduce visual clutter:
- In Splunk Enterprise Security, go to the detection editor.
You can access the detection editor by selecting Content management and then selecting a detection to access the editor. - In the Adaptive response action section, expand Create a finding.
- Scroll to the dashboard you want to delete in the Drill-down dashboards section.
- Select X next to the dashboard to delete the dashboard.
See also
To learn more about configuring user roles, the risk timeline visualization, drill-down searches, and drill-down dashboards, see the product documentation:
- Use drilldown for dashboard interactivity in the Dashboard and Visualizations manual
- Drill down on event details in the Search manual
- Use drilldown for dashboard interactivity in the Splunk Enterprise Dashboards and Visualizations manual
- Drill down on event details in the Search manual.
- Configure users and roles in the Splunk Enterprise Security Installation and Upgrade Manual.
- Access the risk timeline visualization to review findings in Splunk Enterprise Security
- Review findings using the risk timeline visualization in Splunk Enterprise Security
Configure dispositions for findings in Splunk Enterprise Security | Risk scoring in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!