Spkunk ES security search results

Nrsch · ‎03-02-2025

Hi, there are some security saved search and key indicator in ES, if I activate these searches, if they trigger, in which dashboard in ES i can see the result? For example if the search "Malware- total infection count " trigger, in which dashboard in ES can I see the result?

# ES

# enterprise security

kiran_panchavat · ‎03-02-2025

@Nrsch

By default, Key Indicator Searches like “Access - Total Access Attempts,” “Malware - Total Infection Count,” and “Risk - Median Risk Score By Other” do not directly change the “Aggregated User Risk” value on the Risk Analysis dashboard. They are designed to display metrics, not update risk scores. However, if they feed into correlation searches that assign risk scores, they could have an indirect effect.

https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Customizing_Enterprise_Security...

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!

Nrsch · ‎03-03-2025

Thanks, as you said the key indicator searches are designed to display metrics, so exactly where and how I can see these metrics?

Thank you very much for your answer 🌹

kiran_panchavat · ‎03-02-2025

@Nrsch

If you're using Splunk ES version 8.x, navigate to the Splunk ES App, then go to Mission Control, where you'll find the "Analyst Queue." This serves the same function as "Incident Review."

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!

kiran_panchavat · ‎03-02-2025

@Nrsch

In Splunk Enterprise Security (ES), when a saved search like "Malware - Total Infection Count" is triggered, the results typically manifest as notable events. These notable events are designed to alert security analysts to potential issues and are centralized in specific dashboards within ES.

Incident Review Dashboard : -

The Incident Review dashboard is the main place to view triggered notable events from security saved searches, including something like "Malware - Total Infection Count."

How to Access:

Log into Splunk ES.
Navigate to Security > Incident Review in the ES menu.
Look for notable events tied to the "Malware - Total Infection Count" search. You can filter by search name, urgency (e.g., critical, high), or time range to locate the specific event.

Security Posture Dashboard

Provides a high-level overview of notable event activity across your environment.

https://docs.splunk.com/Documentation/ES/7.3.3/User/IncidentReviewdashboard

https://docs.splunk.com/Documentation/ES/7.3.3/User/IncidentReviewdashboard#How_Splunk_Enterprise_Se...

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!

Nrsch · ‎03-02-2025

Thank you for reply, it’s very useful.
I can explain more my question : I have some “Key Indicator Search” like “Access - Total Access Attempts” , “Malware - Total Infection Count” , “Risk - Median Risk Score By Other” , you said if they trigger I can see their related notable event in “Incident Review” . It’s OK, But my main question is: Dose this searches have any effects on any a value in some dashboard in ES? For example may be they change the value of the “aggregated user risk” in “ES -> Security Intelligence -> Risk Analysis -> aggregated user risk” .
Thank you very much for your reply 😊

Spkunk ES security search results

using Enterprise Security

Fun with Regular Expression - multiples of nine

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

Spkunk ES security search results

using Enterprise Security

Fun with Regular Expression - multiples of nine

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

What’s New & Next in Splunk SOAR