Reviewing findings using the intermediate findings timeline in Splunk Enterprise Security
Use the Intermediate findings timeline visualization to drill down and analyze the relationship between intermediate findings and their associated risk scores.
The header of the visualization displays the Entity, Risk score, Threshold, and Intermediate findings count associated with the finding. This visualization uses color codes on the icons to indicate the severity of the risk scores. The color coding of risk score icons is consistent across the Intermediate findings details table and the Intermediate findings timeline visualization. A lighter color icon corresponds to a lower risk score.
You can use the zoom + or - toggle buttons or select Scroll to zoom to magnify the visualization. The toggle buttons and the Scroll to zoom option zooms across the x-axis (time) and you can select and drag the visualization to zoom across the y-axis (risk score).
The Intermediate findings details table displays the complete list of intermediate findings in a paginated format. The risk score in the Intermediate findings details table and the Intermediate findings timeline visualization is the calculated risk score of all events. You can collapse or expand the Intermediate findings timeline visualization and the Intermediate findings details table. A count of the number of intermediate findings is also displayed next to the Intermediate findings details table.
You can view a maximum of 100 intermediate findings on the Intermediate findings details table and the visualization. If you have more than 100 intermediate findings, the event count displays as 100+ on the header and includes a link to the search page that displays the complete list of intermediate findings. If the number of intermediate findings is less than 100, the event count displays as is.
You might not be able to use the Intermediate findings timeline visualization unless all required fields are present within the finding.
How the visualization gets populated
The Intermediate findings timeline visualization gets populated by the risk_event_timeline_search macro in the macros.conf configuration file.
The following is an example of the risk_event_timeline_search macro:
[risk_event_timeline_search] args = normalized_risk_object, risk_object_type definition = from datamodel:"Risk.All_Risk" | search normalized_risk_object="$normalized_risk_object$" risk_object_type="$risk_object_type$" | `get_correlations` | rename annotations.mitre_attack.mitre_tactic_id as mitre_tactic_id, annotations.mitre_attack.mitre_tactic as mitre_tactic, annotations.mitre_attack.mitre_technique_id as mitre_technique_id, annotations.mitre_attack.mitre_technique as mitre_technique
You can edit the risk_event_timeline_search macro in the macros.conf file to add filters or tokens based on your requirements. Go to Settings, select Advanced search, and then select Search macros to edit the macros.conf file. However, editing the risk_event_timeline_search macro can break the Intermediate findings timeline visualization.
See also
For more information on reviewing findings, see the product documentation:
| Review risk-based findings in Splunk Enterprise Security | Access the intermediate findings timeline to review findings in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.1.0
Download manual
Feedback submitted, thanks!