Splunk® Mission Control

Investigate and Respond to Threats in Splunk Mission Control

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Investigate risk events associated with an incident in Splunk Mission Control

A risk event is the result of a metadata annotated correlation search from Splunk Enterprise Security (Cloud). In Splunk Mission Control, you can use the risk event timeline visualization and the MITRE ATT&CK visualization to investigate the risk events associated with an incident.

Analyze risk events using the risk event timeline

With the risk event timeline visualization, you can analyze the correlation of risk events with their associated risk score.

The risk event timeline uses color codes to indicate the severity of risk scores. The color coding of risk score icons is the same for the Contributing risk events table and the risk event timeline. A lighter color icon corresponds to a lower risk score. See View risk-based alerting scores for artifacts.

The Risk score in the risk event timeline is the sum of all the scores associated with each of the contributing risk events. For example, if there are 5 risk events and each risk event has a risk score of 10, 20, 30, 40, and 50, then the aggregated risk score is 150.

The Threshold indicates the maximum number of risk events you can view on the Contributing risk events table and on the risk event timeline. If the incident has more than 100 risk events, you can select View all events to open the Search tab and see the complete list of risk events. If the number of risk events is less than 100, the event count displays as is.

You can't use the risk event timeline unless all required fields are present within the incident.

For more information, see How the Risk Timeline gets populated in the Use Splunk Enterprise Security Risk-based Alerting manual.

Example workflow using the risk event timeline

Investigate the contributing risk events associated with an incident using the risk event timeline visualization in Splunk Mission Control.

The following example workflow covers how to analyze the risk events associated with an incident so that you can isolate the threat to your security environment.

  1. Select an incident from the Incident review page in Splunk Mission Control.
  2. Expand the Risk events section in the Overview tab.
  3. (Optional) If the incident you selected is part of a parent-child relationship group, use the Incident drop-down list to select related child incidents. The table and visualization reflect risk event data from only one incident at a time. For example, if you select the parent incident, then the risk score and event count do not consider related child incidents.
  4. Sort the contributing risk events in the table based on any of the following fields:
    • Time
    • Risk Rule
    • Risk Score

    You can also search for a specific contributing risk event using the search bar.
  5. Select View contributing events to open the search with the contributing events that triggered the incident. You can browse events in the Search tab, and then return to the Overview tab.
  6. Correlate the risk events with the dates and severity of the risk scores in the timeline visualization to identify threats.

    You can zoom in and out to narrow down the time of occurrence.

  7. Select the color-coded icons in the timeline visualization to view more information on the risk event.
  8. Select a risk event on the timeline to highlight the row for that risk event in the Contributing risk events table.

Evaluate the risk associated with an incident using MITRE ATT&CK

MITRE ATT&CK is a widely-used knowledge base of adversary tactics and techniques based on real-world observations in cybersecurity. Tactics are categories of activities such as "Privilege Escalation" or "Command and Control". Techniques are specific activities such as "Kerberoasting" or "Protocol Tunneling". For details on the MITRE ATT&CK framework, search "ATT&CK" on the MITRE website.

In Splunk Mission Control, you can view the MITRE ATT&CK visualization while investigating an incident if the incident came from Splunk Enterprise Security as a notable event with MITRE technique annotations. If you can't see a MITRE ATT&CK visualization for an incident in the Overview tab, then the incident doesn't have any MITRE detections. For more information about MITRE technique annotations in Splunk Enterprise Security, see How risk annotations provide additional context in Splunk Enterprise Security in the Use Splunk Enterprise Security Risk-based Alerting manual.

The MITRE ATT&CK visualization highlights MITRE techniques detected in the incident so that you can reduce the mean time to detection (MTTD) and mean time to repair (MTTR) and enhance the situational awareness in your security operations center (SOC).

To view the MITRE ATT&CK visualization for an incident, complete the following steps:

  1. In Splunk Mission Control, select Incident review.
  2. Select the incident you want to investigate.
  3. Expand the MITRE ATT&CK posture section to see the MITRE tactics and techniques detected for the incident.
    The MITRE ATT&CK visualization displays all the tactics and techniques for every risk event associated with the incident. The number for Detections in incident represents the total number of tactics and techniques detected for all risk events associated with the incident.
  4. (Optional) If the incident you selected is part of a parent-child relationship group, use the Incident drop-down list to select a related parent or child incident. The visualization reflects MITRE data from only one incident at a time. For example, if you select the parent incident, then the total MITRE detections do not include those for related child incidents.
  5. (Optional) Filter and search for techniques.
    1. In the Sub-Techniques drop-down list, select whether or not to show IDs, sub-techniques, or details. Selecting the Details check box shows all available MITRE techniques.
    2. Using the time range drop-down list, filter techniques by the recency in which they were detected.
    3. Search for particular techniques using the search bar in the Sub-Techniques drop-down list.

See also

For details on how to use the MITRE ATT&CK framework in Splunk Enterprise Security, see the following topics in the Use Splunk Enterprise Security Risk-based Alerting manual:

Last modified on 18 October, 2023
PREVIOUS
Explore artifact data in Splunk Mission Control 		  NEXT
Add events to an incident in Splunk Mission Control

This documentation applies to the following versions of Splunk® Mission Control: Current

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters