Investigate observables related to an investigation in Splunk Enterprise Security

In Splunk Enterprise Security, you can add threat intelligence data to enhance your security monitoring capabilities and enrich investigations with added context from observables. An observable is a piece of data indicating that an event has occurred or been observed on a computer system, network, or other digital entity. Splunk Enterprise Security record observables, which can be malicious or benign, as part of an investigation. With threat intelligence data, you can correlate known threats and indicators of suspicious activity with your events.

After you have access to threat intelligence data, you can start managing observables and reviewing their priority scores on the Intelligence tab of your investigation.

Filter and sort observables

Filter, sort, and search for observables on the Intelligence tab of your investigation in Splunk Enterprise Security. To manage observables, complete the following steps:

1. In Splunk Enterprise Security, select Mission Control.
2. Select an investigation from the analyst queue.
3. Select View details.
4. Select the Intelligence tab.
5. To filter observables, select the column header of the field you want to filter by. You can sort and filter a field by selecting the down arrow icon ( ) in the column header or by entering a search in the observable search bar. Fields that aren't filterable don't have a filter menu with check boxes.
6. In the filter menu, select a value. For some fields, such as Score, you can select multiple values, such as Medium and High.
7. To remove a filter so that it no longer applies to observables, select the remove icon ( ) next to the respective filter, or select Clear all to remove them all.
8. To sort observables, select the column header of the field you want to sort by. Then, select the up arrow icon ( ) or the down arrow icon ( ) to determine which observables appear first.

Review priority scores for observables

After you set up threat intelligence in Splunk Enterprise Security, select an observable in the Intelligence tab of your investigation to begin exploring potential pain points.

The list of observables includes those found in the following investigation fields:

• risk_object
• threat_object
• threat_match_value
• host
• orig_host
• dvc
• dest
• src
• src_user
• user

Different intelligence sources often use different scoring systems, which makes it difficult to compare threats across sources. For example, one source might use the scale of 1 through 10 for severity, and another source might use text labels such as Benign or Malicious.

The threat intelligence system normalizes the different scores using a conversion table so that you can compare all scores across different intelligence sources. You can use these scores to evaluate the risk associated with an observable or risk event.

After you select an observable, you can find its passthru score and normalized score by expanding the Most recent reporting from each source section. The priority score is the badge that appears in the Summary of "<observable>" section.

The following table defines the scores associated with each observable.

Some observables don't have any intelligence information. If you select an observable with no intelligence information, select Search to open the Search page and find related threat intelligence indicators.

Intelligence sources provide the tags and attributes for the observable in the Summary of "<observable>" section. However, you can't distinguish which specific intelligence source provided each tag or attribute.

See also

For more details on threat intelligence in Splunk Enterprise Security, see the product documentation:

• Overview of threat intelligence in Splunk Enterprise Security
• Configure intelligence source integrations in Splunk Enterprise Security
• Turn on threat-matching searches in Splunk Enterprise Security
• Configure threat lists in Splunk Enterprise Security
• Create and manage safelist libraries in Splunk Enterprise Security