Analyze ES Risk Attributions

Risk-based Alerting is all oriented towards aggregating risky events. This dashboard looks at the content in the ES Risk Framework with out-of-the-box Risk aggregations. It also includes a customized MITRE ATT&CK Matrix based on your search filters, letting you see what techniques have been seen against a particular user, host, or network.

1. The Analyze ES Risk Attributions dashboard helps you understand the data provided by the Splunk Enterprise Security’s Risk Analysis Framework. Most users will arrive here via a drilldown from a user or system, populating that user/system in the search box and focusing the analysis accordingly. That said, you can enter any search string to use the dashboard to analyze a network or even your entire organization.

   

2. Customers who get the most value out of ES Risk often use MITRE ATT&CK, which is why we provide a series of system-wide ATT&CK metrics on the left, and then on the number of hits per tactic for your provided user/system.

   

3. Beneath that, you will find a customized MITRE ATT&CK Matrix for this user/system, showing you which techniques have fired for the data you’ve selected in the search.

   

4. Aggregating risk attributions is the core strength of this dashboard. You’ll next see a series of charts that aggregate risk by various metrics.

   

5. Finally, you’ll see a straightforward sum of risk by object, which will let you see which objects are experiencing the greatest amount of risk.