Analyze ES Risk Attributions
Risk-based Alerting is all oriented towards aggregating risky events. This dashboard looks at the content in the ES Risk Framework with out-of-the-box Risk aggregations. It also includes a customized MITRE ATT&CK Matrix based on your search filters, letting you see what techniques have been seen against a particular user, host, or network.
- The Analyze ES Risk Attributions dashboard helps you understand the data provided by the Splunk Enterprise Security’s Risk Analysis Framework. Most users will arrive here via a drilldown from a user or system, populating that user/system in the search box and focusing the analysis accordingly. That said, you can enter any search string to use the dashboard to analyze a network or even your entire organization.
- Customers who get the most value out of ES Risk often use MITRE ATT&CK, which is why we provide a series of system-wide ATT&CK metrics on the left, and then on the number of hits per tactic for your provided user/system.
- Beneath that, you will find a customized MITRE ATT&CK Matrix for this user/system, showing you which techniques have fired for the data you’ve selected in the search.
- Aggregating risk attributions is the core strength of this dashboard. You’ll next see a series of charts that aggregate risk by various metrics.
- Finally, you’ll see a straightforward sum of risk by object, which will let you see which objects are experiencing the greatest amount of risk.