Splunk Enterprise Security

Spkunk ES security search results

Nrsch
Explorer

Hi, there are some security saved search and key indicator in ES, if I activate these searches, if they trigger,  in which dashboard in ES i can see the result? For example if the search "Malware- total infection count " trigger,  in which dashboard in ES can I see the result?

# ES

# enterprise security

Labels (1)
0 Karma

kiran_panchavat
SplunkTrust
SplunkTrust

@Nrsch 

 
By default, Key Indicator Searches like “Access - Total Access Attempts,” “Malware - Total Infection Count,” and “Risk - Median Risk Score By Other” do not directly change the “Aggregated User Risk” value on the Risk Analysis dashboard. They are designed to display metrics, not update risk scores. However, if they feed into correlation searches that assign risk scores, they could have an indirect effect.
 
 
 
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!

Nrsch
Explorer

Thanks,  as you said the key indicator searches are designed to display metrics, so exactly where and how I can see these metrics?

Thank you very much for your answer 🌹

0 Karma

kiran_panchavat
SplunkTrust
SplunkTrust

@Nrsch

If you're using Splunk ES version 8.x, navigate to the Splunk ES App, then go to Mission Control, where you'll find the "Analyst Queue." This serves the same function as "Incident Review."

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!

kiran_panchavat
SplunkTrust
SplunkTrust

@Nrsch 

In Splunk Enterprise Security (ES), when a saved search like "Malware - Total Infection Count" is triggered, the results typically manifest as notable events. These notable events are designed to alert security analysts to potential issues and are centralized in specific dashboards within ES.
 
Incident Review Dashboard : -
 
The Incident Review dashboard is the main place to view triggered notable events from security saved searches, including something like "Malware - Total Infection Count."
 
How to Access:
  1. Log into Splunk ES.
  2. Navigate to Security > Incident Review in the ES menu.
  3. Look for notable events tied to the "Malware - Total Infection Count" search. You can filter by search name, urgency (e.g., critical, high), or time range to locate the specific event.
Security Posture Dashboard
 
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!

Nrsch
Explorer

Thank you for reply, it’s very useful.
I can explain more my question : I have some “Key Indicator Search” like “Access - Total Access Attempts” , “Malware - Total Infection Count” , “Risk - Median Risk Score By Other” , you said if they trigger I can see their related notable event in “Incident Review” . It’s OK, But my main question is: Dose this searches have any effects on any a value in some dashboard in ES? For example may be they change the value of the “aggregated user risk” in “ES -> Security Intelligence -> Risk Analysis -> aggregated user risk” .
Thank you very much for your reply 😊

0 Karma
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...