Splunk® Security Analytics for AWS

User Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Triage notable events in

The Incident Review dashboard displays notable events and their current status, as detected by correlation searches.

A notable event represents one or more anomalous incidents detected by a correlation search across data sources. For example, a notable event can represent:

  • The repeated occurrence of an abnormal spike in network usage over a period of time
  • A single occurrence of unauthorized access to a system
  • A host communicating with a server on a known threat list

You can use the dashboard to gain insight into the severity of events occurring in your system or network. You can use the dashboard to triage new notable events, assign events to analysts for review, and examine notable event details for investigative leads.

Incident review workflow

You can use this example workflow to triage and work notable events on the Incident Review dashboard.

  1. An administrative analyst monitors the Incident Review dashboard, sorting and performing high-level triage on newly-created notable events.
  2. When a notable event warrants investigation, the administrative analyst assigns the event to a reviewing analyst to start investigating the incident.
  3. The reviewing analyst updates the status of the event from New to In Progress, and begins investigating the cause of the notable event.
  4. The reviewing analyst researches and collects information on the event using the fields and field actions in the notable event. The analyst records the details of their research in the Comments field of the notable event. As part of the research, the analyst might run adaptive response actions. If the research proves that the notable event needs more lengthy investigation, the analyst can assign the notable event to an investigation.
  5. After the reviewing analyst addresses the cause of the notable event and any remediation tasks have been escalated or solved, the analyst sets the notable event status to Resolved.
  6. The analyst assigns the notable event to a final analyst for verification.
  7. The final analyst reviews and validates the changes made to resolve the issue, and sets the status to Closed.

Take action on a notable event on Incident Review in

From Incident Review, you can suppress or share a notable event, add an event or multiple events to an investigation, analyze the risk that an asset or identity poses to your environment, or investigate a field in more detail on another dashboard.

Investigate a field in more detail

Take action on a specific field, such as host, src, src_ip, dest, or dest_ip. Different actions are available to take depending on the field you select.

  1. From the menu bar, select Incident Review.
  2. In the Incident Review Events, click the greater than (>) symbol to expand the display.
  3. From a specific field's Action menu, take action by doing one of the following options:
    • Tag fields by selecting Edit tags.
    • Investigate an asset by selecting Asset Investigator to open the Asset Investigator dashboard filtered on the asset.
    • Search for access-related events for a specific destination IP address by selecting Access Search (as destination).
    • Investigate a domain by selecting Domain Dossier.
    • Find other notable events with matching malware signatures by selecting Notable Event Search.
    • Use the embedded workbench to get more context about specific field values.

Example of using the embedded workbench: The embedded workbench provides a simplified drill-down experience, reduces the number of open tabs, and makes it easier to determine notable event trends.

Using the source field as an example, consider a value where you want more authentication context about an asset. Perform the following steps:

  1. From the menu bar, select Incident Review.
  2. In the Incident Review Events, click the greater than (>) symbol to expand the display.
  3. From a notable event that contains a Source (src) value:
    1. Click the source field actions menu.
    2. Scroll down to the menu items that start with "workbench" and select one such as Workbench - Authentication (src).
    3. View source analysis related to investigated assets or identities. The data source is the Authentication data model. Results include events that contain artifacts in the src, dest, user, user_id, user_role, src_user, src_user_id, src_user_role, or vendor_account fields.

Add a notable event to an investigation

Investigate notable events that could be a part of a security incident by adding them to an investigation.

Add a notable event to an existing investigation by performing the following steps:

  1. From the menu bar, select Incident Review.
  2. Add one or more notable events to an investigation.
    1. Add a single notable event by selecting Add Event to Investigation from the Event Actions.
    2. Add multiple notable events by selecting the check boxes next to the notable events and click Add Selected to Investigation.
  3. Select an investigation to add the notable events to. If you selected an investigation in the investigation bar, that investigation is selected by default.
  4. Click Save.
  5. After the event or events are successfully added to the investigation, click Close.

Add a notable event to a new investigation by performing the following steps:

  1. From the menu bar, select Incident Review.
  2. Select one or several notable events and click Add Selected to Investigation.
  3. Click Create Investigation to start a new investigation.
  4. Type a title for the investigation.
  5. (Optional) Change the default status.
  6. (Optional) Type a description.
  7. Click Save to save the investigation and add the notable event or notable events to the investigation. Clicking Cancel does not add the selected notable events, but the new investigation is still created. You can click Start Investigation to add the notable events to the investigation and open the investigation.
  8. After the event or events are successfully added to the investigation, click Close or click Open <Investigation name> to open the investigation.
Last modified on 10 August, 2021
PREVIOUS
Scan your data sources for defined patterns in
  NEXT
Manage risk in

This documentation applies to the following versions of Splunk® Security Analytics for AWS: 1.0.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters