7/26/2023 0 Comments Splunk enterprise security 7.0![]() Sources Contributing to False Positive - Inaccurate Dataĭisplays a list of sources, which generated notables that have the disposition False Positive - Inaccurate Data over the duration of a specified time period. Sources Contributing to False Positive - Incorrect Analytic Logicĭisplays a list of sources, which generated notables that have the disposition False Positive - Incorrect Analytic Logic over the duration of a specified time period. | timechart span=1d count by disposition_label | eval disposition=if(isnotnull(new_disposition),new_disposition,default_disposition) | lookup update=true event_time_field=temp_time incident_review_lookup rule_id OUTPUT disposition as new_disposition | lookup update=true correlationsearches_lookup _key as source OUTPUTNEW default_disposition | eval `get_event_id_meval`, rule_id=event_id, temp_time=time()+86400 For more information on assigning dispositions to notables, see Add dispositions to notables. This visualization provides insight into the number of notables that are false positives versus notables that are true positives. | stats count(eval(status_end = "true")) AS "Notables Closed", count(eval(status_end = "false")) AS "Notables Open" by owner_realnameĭisplays a distribution of the various dispositions that are assigned to notables over the duration of a specified time period. ![]() | timechart span=1d count(eval(status_end="true")) AS "In End State", count AS "Total Assigned"ĭisplays a comparison graph for assigned open versus assigned closed notables by an analyst over the duration of a specified time period. reached the configured end state over the duration of a specified time period. | timechart span=1d count(eval(owner!="unassigned")) AS "Assigned Notables", count(eval(owner="unassigned")) AS "Unassigned Notables"ĭisplays a comparison graph for notables that are assigned versus the notables that have been resolved i.e. | eval `get_event_id_meval`, rule_id=event_id | rename "column" as count_type, "row 1" as countĭisplays a comparison graph of assigned versus unassigned notables over the duration of a specified time period. | eval diff=triage_time-create_time, stat_type=if(create_time relative_time(now(), stats count(eval(create_time = relative_time(now(), AS current ![]() | stats earliest(_time) as create_time, earliest(time) as triage_time by rule_id ![]() | lookup update=true incident_updates_lookup rule_id OUTPUTNEW time | tstats summariesonly=true earliest(_time) as _time FROM datamodel=Incident_Management BY "Notable_Events_le_id" For more information, see Triage notable events in Splunk Enterprise Security. For example, the trendline may display that the mean time to triage a notable over the last 7 days is 0.5% up or down over the mean time taken to triage the notable during the previous 7 day time period. Also, displays a trendline (in absolute value) that indicates how the mean time taken to triage the notable compares to the previous mean time taken to triage the notable over the same time period. The SOC Operations dashboard is designed to provide insight into the security operations center (SOC) based on key metrics, workflows, and dispositions so that you can monitor the efficiency of the SOC and ensure that all security operations (detections, analysis, and responses) are on track.ĭisplays the average time (in minutes) to triage or prioritize the investigation of a notable over the duration of a specified time period.
0 Comments
Leave a Reply. |