Splunk® Enterprise Security

Use Splunk Enterprise Security

Risk analysis

The Risk analysis dashboard displays recent changes to risk scores and entities that have the highest risk scores. As an analyst, you can use this dashboard to assess relative changes in risk scores and examine the events that contribute to an entity's risk score.

You can use the Risk analysis dashboard to review changes to an entity's risk score, determine the source of a risk increase, and decide if additional action is needed.

Risk analysis dashboard filters

Use any of the available filters on the Risk analysis dashboard to search and filter the results. A filter is applied to all panels in the dashboard, but not the key security indicators.

Filter by Description
Index Filter by the risk index or test index.
Source Filter by the detection that has risk modifiers.
Entity type Filter by the type of entity such as system, user, hash_values, network_artifacts, host_artifacts, tools, other.
Entity Select an entity type and enter a string to filter by entity. Entity type defaults to All.
Time Filter by time window such as Relative time, Real time, Date Range, Date & Time Range, and so on.

The Entity filter works by performing a reverse lookup against the asset and identity tables to find all fields that have been associated with the specified Entity. All associated entities found by the reverse lookup then display on the dashboard. For example, if you select an entity type of system and enter an Entity of 10.10.1.100, the reverse lookup against the assets table could return a MAC address. The Risk analysis dashboard updates to display any risk score applied to the 10.10.1.100 address and a MAC address. If no match to another entity was found in the asset table, only the IP address matches from the risk analysis data model will be displayed.

Risk analysis dashboard panels

The risk analysis dashboard offers additional views to help analyze risk scoring changes and what caused the changes. Use the filters to refine the view to a specific entity or group of entities. Use the drilldown to explore the data as events.

Panel Description
Key indicators Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard.
Risk score by entity Displays the entities with the highest risk score. The drilldown opens a search with the selected entity and scoped to the selected time frame.
Most active sources Displays the detections that contribute the highest amount of risk to any entity. The drilldown opens a search with the selected source.
Risk modifiers over time Displays the changes made to risk modifiers over time. Use the dashboard filters to scope the view to a specific entity or group of entities. The drilldown opens a search on all events in the risk data model scoped to the selected time frame.
Risk score by annotations Pie chart displays the risk score distribution and classifies them by annotations.
Risk modifiers by annotations Displays the changes to risk modifiers by annotations.
Risk modifiers by threat object Displays the risk modifiers by threat objects.


Use behavioral analytics detections on test index

Using the risk analysis dashboard, you can specify whether the panels use test or risk index, not the detections.

Specifying the test index gives you the option of vetting the data that is best suited for surfacing threats effectively instead of experimenting on the production data in the risk index.

Follow these steps to use the test index for your detections:

  1. In Splunk Enterprise Security, select Analytics and then Security intelligence.
  2. Select Risk analysis.
  3. In the Index field, select Risk or Test.

Review active detections

Using the risk analysis dashboard, you can identify the total number of detections that are turned on and point to the risk index. You can also review the total number of detections that are available in Splunk Enterprise Security as opposed to the number of detections that are pointed at the risk index. You can also turn on or turn off detections or point them to the test index as required.

Follow these steps to review the detections on the risk analysis dashboard:

  1. In Splunk Enterprise Security, select Analytics and then Security intelligence.
  2. Select Risk analysis.
  3. Go to the key indicator panel BA DETECTIONS IN THE RISK INDEX that displays the number of detections being used versus the number of available detections. For example: 24/74 that indicates 24 detections are being used out of 74 available detections.
  4. Select the key indicator, such as 24/74, which opens a new tab that displays the entire list of available detections and the detections that are already turned on for the risk index.
  5. Select Enable to the risk index to turn on a detection on the risk index.
  6. Select Disable to turn off the detection.
  7. Select Enable on the test index to turn on a detection on the test index.

For more information on activating behavioral analytics service on Splunk Enterprise Security, see Enable behavioral analytics service on Splunk Enterprise Security.

Review detailed information on risk annotations in context

On the risk analysis dashboard, you can review detailed information on risk annotations to get additional context that makes it easier to identify the root problem and detect security threats during the phases of a cybersecurity investigation.

Follow these steps to review detailed information on risk annotations in the context of an investigation:

  1. In Splunk Enterprise Security, select Analytics and then Security intelligence.
  2. Select Risk analysis.
  3. Go to the table on Risk modifiers by annotations.
  4. Select an annotation such as T1059 to display all the information on that MITRE tactic or technique.

For more information on how risk annotations provide additional context during an investigation, see How risk annotations provide additional context in Splunk Enterprise Security.

View the Risk Event Timeline visualization

On the risk analysis dashboard, you can access the Risk Event Timeline visualization for entities to review historical events easily during an investigation.

Follow these steps to access the Risk Event Timeline visualization from the risk analysis dashboard:

  1. In Splunk Enterprise Security, select Analytics and then Security intelligence.
  2. Select Risk analysis.
  3. Go to the panel Risk score by entity.
  4. Select the entity, which opens a new dialog box that displays the Risk Event Timeline visualization.

For more information on how the Risk Event Timeline visualization works in Splunk Enterprise Security, see How the Risk event Timeline visualization works in Splunk Enterprise Security.

Access threat object activity

From the risk analysis dashboard, you can navigate to activities related to specific threat objects and select a time range to isolate threats during an investigation.

Follow these steps to navigate to the Threat findings dashboard from the risk analysis dashboard:

  1. In Splunk Enterprise Security, select Analytics and then Security intelligence.
  2. Select Risk analysis.
  3. Go to the panel Risk modifiers by threat object .
  4. Select any threat object. This displays the Threat findings dashboard, which is populated with information on that specific threat object.
  5. Specify a time range on the threat findings dashboard if required. By default, the time range is set to when the investigation was initially opened and matches the time range used for the risk analysis dashboard.
Last modified on 24 October, 2024
User activity monitoring   Network dashboards

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters