Splunk® Enterprise Security

Administer Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. To resolve redirect errors, you must use the version selector on the ES documentation homepage to navigate between the versions.

Access the intermediate findings timeline to review findings in Splunk Enterprise Security

Access the Intermediate findings timeline visualization to investigate the intermediate findings that created a finding based on risk.

Use one of the following methods to access the Intermediate findings timeline visualization from the Analyst Queue on the Mission Control page in Splunk Enterprise Security:

  • Expand the finding and select the down arrow next to the Entity value.
  • Go to a specific finding and select the number in the Intermediate findings column, which is an active link.
  • Select the investigation ID in the Analyst Queue.

The Intermediate findings timeline is consistent irrespective of how you access the visualization.

Identify the intermediate findings associated with a finding

Follow these steps to identify the intermediate findings associated with a finding so that you can isolate the threat to your security environment:

  1. In the Splunk Enterprise Security app, go to the Analyst queue on the Mission Control page.
  2. In the Type column filter drop-down list, select Findings and select Apply to display the findings that have associated intermediate findings.
  3. Select the individual findings to review the following fields:
    Field Description
    Intermediate findings Events that created the finding
    Risk score Sum of all the scores associated with each of the contributing intermediate finding
    For example, if there are 5 intermediate findings and each intermediate finding has a risk score of 10, 20, 30, 40, and 50, then the aggregated risk score is 150.
  4. Select the value of the Intermediate findings field in the row of the finding on the Mission Control page to open the Timeline visualization and further investigate the intermediate findings associated with the finding.
  5. Select the value in the Intermediate findings field for the finding that you want to investigate.
    Investigating a finding opens a window that contains two panels. The top panel displays a visualization of all the intermediate findings that created the finding. The bottom panel includes a table with detailed information on the intermediate findings.
  6. Sort the intermediate findings in the table based on any of the following fields:
    • Time
    • Description
    • Detection
    • Risk score
  7. Expand the finding in the Intermediate findings details table to further analyze the entities in your security environment.
    This includes information on the following fields:
    • Entity
    • Detection
    • Risk score
    • Description
    • Detection description
    • Annotations
    • Threat object
    • Threat object type
  8. Select View contributing intermediate findings for information on the intermediate findings that triggered the event.
    You can also search for specific intermediate findings that created the findings through the filter.
  9. Correlate the intermediate findings with dates and the severity of the risk scores in the Intermediate findings timeline visualization to identify threats.
    You can zoom in and out to narrow down the time of occurrence since the visualization plots the intermediate findings using time on the x-axis and the risk score on the y-axis.
  10. Select the color-coded icons in the Intermediate findings timeline visualization to view more information on the intermediate finding within a tooltip. The following list indicates additional details about the intermediate finding:
    • Risk score
    • Detection
    • Description
    • Time
    • MITRE tactic
    • MITRE technique
  11. Select a finding on the timeline to highlight the associated row in the Intermediate findings details table.
  12. Identify the entity type using the icons displayed in the header of the Intermediate findings Timeline visualization.
    The following is a list of the available icons:
    • User
    • System
    • Network artifacts


See also

For more information on reviewing findings, see the product documentation:

Last modified on 29 April, 2025
Reviewing findings using the intermediate findings timeline in Splunk Enterprise Security   Review findings using the threat topology visualization in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.1.0

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters