The incident review dashboard presents noteworthy occurrences along with their current statuses. Notable events, indicative of anomalous incidents identified through correlation searches across data sources, can be filtered based on specific criteria. This facilitates expediting the triage of these events through an investigation workflow.
A notable event could signify various anomalies, such as:
- Recurring abnormal spikes in network usage over a specific time frame.
- Unauthorized access to a system occurring on a single occasion.
- A host engaging with a server listed as a known threat.
For analysts, the dashboard serves as a tool to comprehend the severity of events within their system or network. It enables the triaging of new notable events, assigning events to analysts for review, and examining details for investigative leads.
Administrators have the capability to oversee and customize settings related to Incident Review and notable events. Further information on administrative activities can be found in the documentation titled "Managing Incident Review in Splunk Enterprise Security."
Visualizations and charts on the incident review page
Utilize the pie charts and timeline visualization to enhance your understanding of notable events. The four pie charts categorize notables according to the following criteria:
- Notables by urgency: Organizes all notables based on the significance of the event, such as critical, high, low, medium, informational, or unknown.
- Notables by status: Sorts all notables based on their current status, including New, In Progress, Pending, Resolved, or Closed.
- Notables by owner: Segregates all notables based on ownership, whether unassigned, administrator, or specific names.
- Notables by domain: Classifies all notables based on the security domain from which they originate, such as access, audit, endpoint, identity, network, or threat.
Employ the timeline visualization to pinpoint the exact time when notables were generated. You can zoom in, zoom out, select, or deselect to focus on specific time periods and examine related events that may be relevant for more targeted threat investigations.
How Splunk Enterprise Security identifies notable events
Splunk Enterprise Security identifies patterns in your data and autonomously examines events for security-related incidents through correlation searches. Upon detecting a suspicious pattern, the correlation search generates a new notable event.
The Incident Review dashboard presents all notable events, which can be organized based on potential severity for efficient triage, assignment, and issue tracking.
Incident review workflow
Follow this example workflow to efficiently triage and manage notable events on the Incident Review dashboard:
- An administrative analyst monitors the Incident Review dashboard, conducting high-level triage by sorting through and assessing newly created notable events.
- Upon identifying a notable event that requires investigation, the administrative analyst assigns the event to a reviewing analyst to initiate the incident investigation.
- The reviewing analyst updates the status of the event from New to In Progress and commences an investigation into the root cause of the notable event.
- Utilizing the fields and field actions within the notable event, the reviewing analyst researches and gathers information on the event. The analyst documents the details of their investigation in the Comments field of the notable event. As part of the research, adaptive response actions may be executed. If the investigation indicates that the notable event requires further in-depth analysis, the analyst may assign it to an investigation.
- Once the reviewing analyst addresses the cause of the notable event and any necessary remediation tasks have been escalated or resolved, the analyst sets the notable event status to Resolved.
- The analyst then assigns the notable event to a final analyst for verification.
- The final analyst reviews and validates the changes made to resolve the issue and sets the status to Closed.
Analyse risk in Splunk Enterprise Security
A risk score serves as a comprehensive measure indicating the relative risk associated with a device or user in the network environment over a period. Within Splunk Enterprise Security, devices are categorized as systems, users as users, and unidentifiable devices or users as others.
The Enterprise Security platform employs risk analysis to identify and assess the risk associated with minor incidents and questionable activities occurring within your environment over time. The Risk Analysis dashboard showcases these risk scores alongside other pertinent risk-related details. All risk data is indexed as events within the risk index by Enterprise Security.
How Splunk Enterprise Security assigns risk scores
Within Enterprise Security, correlation searches play a crucial role in connecting machine data with asset and identity information, encompassing devices and user entities within a network setting. These searches actively seek a conditional match to specific queries. Upon identifying a match, they trigger the creation of an alert, manifesting as either a notable event, a risk modifier, or both.
A notable event transforms into a task, signifying an occurrence that necessitates assignment, review, and closure. On the other hand, a risk modifier transforms into a numerical value, contributing to the overall risk score associated with a device or user entity.
Investigate a risk notable based on known security frameworks
Determine the exact tactics and techniques specified in established security frameworks like MITRE ATT&CK and KillChain that align with a risk notable. Associating these security frameworks with risk notables facilitates the categorization of attacks, understanding adversary behavior, and evaluating an organization's risk. The utilization of these mappings also offers insights into how adversaries might operate in diverse scenarios, enabling the development of well-informed strategies to detect and ultimately prevent such behaviors from impacting the organization's security.
To explore the specific tactics and techniques associated with a risk notable, follow these steps:
- Within the Splunk Enterprise Security menu bar, go to Incident Review.
- Expand the particular risk notable of interest from the list of notables to unveil the security posture based on MITRE or other security frameworks.
The visualization emphasizes the specific tactics and techniques currently identified in the risk notable. Additionally, you can employ the Workbench-Risk (risk_object) as Asset workflow action panels or access the Risk tab in Workbench to visually categorize the risk objects based on MITRE ATT&CK techniques and tactics. For a more comprehensive understanding of identifying annotations based on risk objects in Splunk Enterprise Security, consult the documentation on this topic.