Review findings using the threat topology visualization in Splunk Enterprise Security
Use the Threat topology visualization in Splunk Enterprise Security to isolate risk and review the finding beyond the infected user, improve situational awareness, and get a comprehensive view of the entire security operations center (SOC).
The Threat topology visualization helps you to identify how the different entities that create a finding relate to each other. Investigating the potential connections between multiple entities that relate to a particular threat is especially useful when the aggregated risk score of the finding is high. You can display a maximum of 20 entities that pertain to a single threat object in the Threat topology visualization.
All information on threat objects already exists in the finding. The '''Threat topology''' visualization only helps you to identify the other entities such as users and systems that are related to the threats, which created a specific finding.
Follow these steps to analyze findings using the Threat topology visualization:
- In the Splunk Enterprise Security app, go to the Analyst queue on the Mission Control page.
- In the Type column filter dropdown list, select Findings and select Apply to display the findings that have associated intermediate findings.
- For any finding, select the number of intermediate findings in the Intermediate findings column.
- Select the Threat topology option to display the threat topology visualization of the entities for the finding.
- Select any entity to highlight the related entities or threat objects.
- Select an entity to display details such as risk scores, priority, and so on.
You can also select View in Risk analysis to analyze the entity in the Risk analysis dashboard.
You can also select View in Threat activity to analyze the threat object in the Threat activity dashboard. - Specify the time range to drill down further into the intermediate finding created by the entity.
How the threat topology visualization gets populated
The Threat topology visualization gets populated if intermediate findings share the same threat object.
- In the Splunk Enterprise Security app, open the detection in the detection editor.
- Go to Assign risk.
- Enter the risk score that you want to assign to the entity.
- Select a field from the finding to apply the risk score to the Entity field.
- Select the Entity type to which you want to apply the risk score.
- In the Threat object field, add a threat object. For example: payload.
- In the Threat object Type field, add the type of threat object. For example: file_hash
These fields must exist in your detection SPL.
Populating the threat object fields connects the threat object to the entity in your detections and populates the Threat topology visualization.
See also
For more information on reviewing findings, see the product documentation:
Access the risk timeline visualization to review findings in Splunk Enterprise Security | Create response plans in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!