TTechclick ⚡ XP 0% All lessons
Splunk · SIEM · Enterprise SecurityInteractive · L1 / L2 / L3

Splunk Enterprise Security — Notable Events, Correlation Searches & Risk-Based Alerting

Splunk Enterprise Security (ES) is the SIEM app that sits on top of Splunk. It runs correlation searches over normalised data, turns matches into notable events you triage in Incident Review, and uses risk-based alerting to stop the SOC drowning in noise. This lesson traces a raw log all the way to a triaged notable, and explains exactly what RBA solves.

📅 2026-06-19 · ⏱ 17 min · 5 infographics · live triage demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear, interactive guide to Splunk Enterprise Security (2026): the SIEM app on top of Splunk — correlation searches that turn raw logs into notable events, the Incident Review dashboard, the Common Information Model (CIM) and data models that feed it, risk-based alerting (RBA) with risk objects and scores, the threat intelligence framework, adaptive response actions, and security posture and glass tables. See exactly how one log becomes a triaged notable, and what RBA fixes.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

ES on top of Splunk

The SIEM app, CIM and data models.

 2

Log to notable

Correlation searches, notables, Incident Review.

 3

Intel & response

Threat intel framework, adaptive response.

 4

RBA & posture

Risk objects, scores, glass tables.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Is Splunk Enterprise Security a separate product from Splunk?

Answered in ES on top of Splunk.

2. What does a correlation search create when it matches?

Answered in Log to notable.

3. What problem does risk-based alerting mainly solve?

Answered in RBA & posture.

Most engineers think…

Most people think 'Splunk' and 'Splunk Enterprise Security' are the same thing — that ES is just Splunk with some dashboards. That mental model falls apart the moment an interviewer asks how a raw log becomes a triaged alert, or what risk-based alerting actually fixes.

Splunk ES is a premium SIEM app that runs on top of core Splunk. Splunk collects, indexes and searches; ES adds the security brain — it normalises data to the Common Information Model (CIM), runs correlation searches over accelerated data models, turns matches into notable events you triage in Incident Review, enriches with a threat intelligence framework, acts via adaptive response, and uses risk-based alerting (RBA) to stop firing a separate alert on every event. Understand that stack and the log-to-notable path, and the rest clicks into place.

① ES is a SIEM app on top of Splunk — and it runs on CIM

The single most important idea: Splunk Enterprise Security is not a separate product, it is an app installed on top of core Splunk. Core Splunk does the plumbing — forwarders collect, indexers store, search heads query. ES adds the security content: pre-built correlation searches, dashboards, the Incident Review queue, threat intelligence and risk-based alerting. In production ES usually runs on its own dedicated search head.

Why CIM comes first

ES only works well if your data speaks one language. The Common Information Model (CIM) is a shared, search-time schema: it maps each vendor's odd field names onto the same normalised names and tags — so a Cisco, a Windows and a Palo Alto login all expose user, src and action the same way. CIM groups that normalised data into data models like Authentication, Network Traffic and Malware, which ES accelerates for speed. Correlation searches run against those models, not raw text — which is exactly why bad data onboarding breaks ES.

Figure 1 — ES log-to-notable pipeline, end to end
Every log takes the same path in ES: indexed by Splunk, normalised by CIM, matched by a correlation search, raised as a notable, triaged in Incident Review.ES log-to-notable pipeline, end to endRaw logindexed by SplunkNormaliseCIM fields & tagsData modelaccelerated, e.g. AuthCorrelatesearch matches patternNotabletriage in IncidentReview
Every log takes the same path in ES: indexed by Splunk, normalised by CIM, matched by a correlation search, raised as a notable, triaged in Incident Review.
Figure 2 — The ES stack — security app on top of core Splunk
ES is the top layer; it depends on CIM-normalised data flowing up from core Splunk underneath.The ES stack — security app on top of core SplunkEnterprise Security appCorrelation searches, notables, RBA, postureCIM & data modelsNormalised fields, accelerated Auth/Network/MalwareCore Splunk platformForwarders, indexers, search heads
ES is the top layer; it depends on CIM-normalised data flowing up from core Splunk underneath.
Separate core Splunk from the ES app

In an interview, say it plainly: core Splunk collects, indexes and searches; Enterprise Security is the SIEM app on top that adds correlation searches, notables, Incident Review, threat intel and RBA. And it only works on CIM-normalised data feeding accelerated data models — so 'ES is broken' is very often 'the data isn't CIM-compliant'.

Quick check · Q1 of 10 · Understand

Splunk Enterprise Security is best described as…

Correct: b. ES is a premium app that runs on core Splunk. Splunk does collection, indexing and search; ES adds the security content — correlation searches, notables, Incident Review, threat intel and RBA, usually on a dedicated search head.
👉 So far: Splunk ES is a SIEM app on top of core Splunk. It runs on CIM-normalised data grouped into accelerated data models (Authentication, Network, Malware) — correlation searches run on the models, not raw text.

② From raw log to notable event — the core ES loop

Here is the path interviewers want you to draw. A raw log is collected and indexed by core Splunk, normalised to CIM and rolled into an accelerated data model. A scheduled correlation search runs over that model on an interval (say every five minutes) looking for a pattern — e.g. many failed logins then one success. When it matches, ES creates a notable event: a security alert with a title, an urgency (derived from the event's severity and the asset/identity priority), the offending user and host, and the contributing events that fired it.

Incident Review is where analysts live

Notables land in the Incident Review dashboard — the SOC triage queue. From there an analyst sets status (New ▸ In Progress ▸ Resolved ▸ Closed), assigns an owner, drills into the raw contributing events, and runs response actions. The interview line: a correlation search is the rule; the notable event is the alert it produces; Incident Review is where you work it. (In ES 8.x these are renamed — correlation searches become detections, notables become findings, and Incident Review is part of Mission Control — but the mechanics are identical.)

🧩
Correlation search
tap to flip

A scheduled saved search over CIM data models that looks for a security pattern and creates a notable event when it matches. In ES 8.x it is called a detection.

🚨
Notable event
tap to flip

The security alert a correlation search produces — title, urgency, risk objects, contributing events. Triaged in Incident Review. Called a finding in ES 8.x.

🗂️
CIM & data models
tap to flip

The shared search-time schema that normalises vendor fields, grouped into accelerated data models (Authentication, Network, Malware) that correlation searches run against.

📊
Glass table
tap to flip

A custom live diagram (network or process flow) with security metrics overlaid, so analysts and leaders read the state of the estate at a glance.

Don't confuse the search, the alert and the queue

A classic slip is calling everything a 'notable'. The correlation search is the rule (a detection in ES 8.x), the notable event is the alert it produces (a finding in 8.x), and Incident Review is the triage queue (now part of Mission Control). Name the three separately and your log-to-notable answer instantly sounds senior.

▶ Watch a brute-force login become a triaged notable

How one raw auth log travels through ES end-to-end. Press Play for the healthy path, then Break it to see the classic failure.

① NormaliseA Windows failed-login event is indexed by Splunk and normalised to CIM — user, src and action map into the Authentication data model.
② CorrelateThe scheduled brute-force correlation search runs over the accelerated Authentication model and spots many failures then one success for one user.
③ NotableES raises a notable event with an urgency from severity x asset priority, the user and host risk objects, and the contributing login events.
④ Triage & respondThe notable appears in Incident Review; the analyst assigns it and runs an adaptive response action to disable the account and raise its risk score.
Press Play to step through the healthy path from raw login to triaged notable. Then press Break it.
Quick check · Q2 of 10 · Remember

What does a correlation search produce when its pattern matches?

Correct: c. A correlation search is the rule; when it matches it creates a notable event — a security alert with a title, urgency, risk objects and contributing events — that analysts triage on the Incident Review dashboard.
👉 So far: Log-to-notable path: raw log ▸ CIM normalise ▸ data model ▸ correlation search matches ▸ notable event (title, urgency, risk objects, contributing events) ▸ triage in Incident Review.

③ Threat intelligence and adaptive response — context and action

A notable on its own is just 'something matched'. Two ES frameworks add context and action. The threat intelligence framework pulls in indicators of compromise (IOCs) — malicious IPs, domains, URLs and file hashes — from feeds, normalises them into KV-store threat collections (ip_intel, http_intel, file_intel and friends), and continuously matches them against your CIM data. A hit is written to the threat_activity index and can raise its own notable, so a connection to a known-bad IP lights up automatically.

Adaptive response actions are what ES does about a match. They can fire automatically from a correlation search or be run by hand from Incident Review: send an email, run a script, ping or nslookup a host, add an artefact to threat intel, or modify the risk score of a user or system. This is also the integration seam — adaptive response is how ES reaches out to SOAR, firewalls and ticketing. The interview line: threat intel adds the 'is this known bad?' context; adaptive response is the 'now do something' hook.

Figure 3 — What feeds and surrounds a notable
A notable event sits at the centre of the ES content frameworks — each one adds context, action or scoring.What feeds and surrounds a notableNotable eventraised by a corr. searchCorrelation searchCIM data modelThreat intel matchAdaptive responseRisk object & scoreIncident Review
A notable event sits at the centre of the ES content frameworks — each one adds context, action or scoring.
Quick check · Q3 of 10 · Apply

A correlation search matches, and you want ES to automatically open a ticket and email the SOC. Which framework does that?

Correct: d. Adaptive response actions are the 'now do something' hook — email, run a script, ping/nslookup, add threat intel, change risk score, or reach out to SOAR/ticketing. They fire automatically from a correlation search or by hand from Incident Review.
👉 So far: Threat intel framework loads IOCs into KV-store threat collections and matches them against CIM data (threat_activity index). Adaptive response actions are the 'now do something' hooks — email, script, change risk, call SOAR.

④ Risk-based alerting and posture — taming the noise

Classic SIEMs fire a notable on every suspicious event, so the SOC drowns and starts ignoring alerts — alert fatigue. Risk-based alerting (RBA) flips the model. Instead of alerting immediately, narrowly-scoped risk rules (correlation searches in disguise) write small risk events to a dedicated risk index. Each risk event is attached to a risk object (a user, a system, or other) and carries a risk score (roughly impact x confidence) plus MITRE ATT&CK tactic and technique annotations.

One high-fidelity notable, not a hundred

A separate risk incident rule watches the risk index and raises a single risk notable only when one risk object's aggregated score crosses a threshold over a time window — ideally across several techniques and data sources. So fifteen low-grade signals on one user become one well-told story, not fifteen pages. Risk factors can amplify scores (e.g. x1.5 for a privileged account). Finally, security posture dashboards and glass tables visualise the whole estate — posture gives a SOC-wide overview of key metrics; a glass table is a custom diagram (network or process) with live metrics overlaid, so leadership and analysts read state at a glance.

Figure 4 — Classic alerting vs risk-based alerting
RBA stops one-alert-per-event noise by accumulating risk on an object and firing one high-fidelity notable.Classic alerting vs risk-based alertingClassic correlation alertingOne notable per matching eventSOC drowns in low-grade alertsEach alert lacks the wider storyAlert fatigue, ignored queuesRisk-based alerting (RBA)Small risk events to risk indexRisk accrues on a user/systemOne notable when score crossesHigh-fidelity, MITRE-mapped story
RBA stops one-alert-per-event noise by accumulating risk on an object and firing one high-fidelity notable.
Figure 5 — How RBA raises one risk notable
Many small risk events accumulate on one risk object; a risk incident rule raises a single notable only when the total crosses a threshold.How RBA raises one risk notableRisk ruleswrite risk eventsRisk indexscore per objectAggregatesum over time windowThresholdscore crosses limitRisk notableone story,MITRE-mapped
Many small risk events accumulate on one risk object; a risk incident rule raises a single notable only when the total crosses a threshold.

Priya at a Hyderabad SOC faces this

Her brute-force correlation search fires a notable on every account with five failed logins, so Incident Review shows 400 low-grade notables a day and analysts have stopped reading them.

Likely cause

The detection alerts one-per-event with no aggregation, so normal lockouts and password typos flood the queue and bury the real attacks.

Diagnosis

Open Incident Review and Security Posture: thousands of near-identical low-urgency notables, almost all benign, classic alert fatigue from a noisy point-in-time rule.

ES ▸ Configure ▸ Content ▸ Correlation Searches (risk rule) + Risk Analysis
Fix

Convert the rule to a risk rule that writes scored, MITRE-annotated risk events to the risk index against the user risk object, then let a risk incident rule raise ONE risk notable only when a user's aggregated score crosses the threshold across several techniques.

Verify

Re-check Incident Review: the 400 notables collapse into a handful of high-fidelity risk notables, each telling a multi-step story for one user, and analysts trust the queue again.

Prove RBA worked from the risk index, not a hunch

Never claim 'RBA cut the noise' on vibes. Search the risk index for the risk object and show the accumulated risk events, their scores and MITRE techniques, then show the single risk notable they rolled up into. That one read proves the aggregation fired correctly instead of one-alert-per-event.

Quick check · Q4 of 10 · Analyze

Your SOC ignores alerts because every single suspicious event fires its own notable. What does risk-based alerting change?

Correct: a. RBA fixes alert fatigue. Instead of one notable per event, narrow risk rules accumulate scored, MITRE-annotated risk events on a user or system; a risk incident rule raises a single high-fidelity notable only when that object's total risk crosses the threshold over time.
👉 So far: RBA fixes alert fatigue: risk rules write scored, MITRE-annotated risk events to the risk index against a risk object; one risk notable fires when the aggregated score crosses a threshold. Posture dashboards and glass tables show estate-wide state.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which statement about Splunk ES is correct?

Correct: a. ES is a premium app installed on core Splunk. Splunk handles collection, indexing and search; ES adds correlation searches, notables, Incident Review, threat intel and RBA, usually on a dedicated search head.
Q6 · Understand

Why must data be CIM-compliant for ES correlation searches to work?

Correct: c. CIM normalises vendor fields into shared names and tags and groups them into data models (Authentication, Network, Malware). ES accelerates those models and searches them — non-CIM data never populates the model, so the search matches nothing.
Q7 · Apply

An analyst opens the triage queue to assign a freshly fired alert and review its contributing events. Which dashboard is that?

Correct: b. Incident Review is the SOC triage queue for notable events — set status, assign an owner, drill into contributing events, and run adaptive response actions. In ES 8.x this work moves into Mission Control / the Analyst Queue.
Q8 · Analyze

In RBA, what is a 'risk object'?

Correct: d. A risk object is the user, system/host, or unspecified other that risk events are attributed to. Risk scores accumulate on that object over time, and a risk notable fires when its aggregated score crosses the threshold.
Q9 · Evaluate

An interviewer asks the single biggest reason teams adopt risk-based alerting. Best answer?

Correct: b. RBA's whole point is high-fidelity alerting: narrow risk rules write scored, MITRE-mapped risk events to the risk index, and a risk incident rule raises one notable only when an object crosses the threshold — cutting noise and rebuilding analyst trust in the queue.
Q10 · Evaluate

Which best describes the role of the threat intelligence framework versus adaptive response in ES?

Correct: c. The threat intelligence framework loads IOCs into KV-store collections and matches them against CIM data (threat_activity index) for context. Adaptive response actions are the 'now act' hooks — email, script, change risk score, add threat intel, or integrate with SOAR and ticketing.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: how does a raw log become a triaged notable in Splunk ES, and what does risk-based alerting change about that? Then compare with the expert version.

Expert version: A raw log is indexed by core Splunk, normalised to the CIM and rolled into an accelerated data model (Authentication, Network, Malware). A scheduled correlation search runs over that model, and when it matches a pattern it creates a notable event — with a title, an urgency from severity x asset priority, the user/host risk objects and the contributing events — which an analyst triages in Incident Review and acts on via adaptive response. Risk-based alerting changes the noisy part: instead of one notable per event, narrow risk rules write small scored, MITRE-annotated risk events to a risk index against a risk object, and a risk incident rule raises a single high-fidelity risk notable only when that object's aggregated score crosses a threshold over time — fixing alert fatigue. (In ES 8.x correlation searches are called detections, notables are findings, and Incident Review lives inside Mission Control, but the flow is unchanged.)

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Splunk Enterprise Security (ES)
A premium SIEM app installed on top of core Splunk that adds correlation searches, notable events, Incident Review, threat intelligence, adaptive response and risk-based alerting.
Common Information Model (CIM)
A shared, search-time schema that normalises different vendors' fields onto the same names and tags so ES content works across all data.
Data model
A normalised, often accelerated, structure (Authentication, Network Traffic, Malware) that correlation searches run against instead of raw text.
Correlation search
A scheduled saved search over CIM data models that detects a security pattern and creates a notable event on a match. Called a detection in ES 8.x.
Notable event
The security alert a correlation search produces — title, urgency, risk objects and contributing events. Called a finding in ES 8.x.
Incident Review
The SOC triage dashboard where analysts work notable events: set status, assign owners, drill into contributing events and run response actions. Folded into Mission Control in ES 8.x.
Threat intelligence framework
ES feature that loads IOCs (IPs, domains, URLs, hashes) into KV-store threat collections and matches them against CIM data, writing hits to the threat_activity index.
Adaptive response action
A pre-built action ES can run automatically or manually — email, script, ping/nslookup, add threat intel, change risk score, or call out to SOAR and ticketing.
Risk-based alerting (RBA)
An alerting model where risk rules write scored, MITRE-annotated risk events to a risk index against a risk object; one risk notable fires when the aggregated score crosses a threshold.
Risk object / risk score
The risk object is the user, system or other an event is attributed to; the risk score (roughly impact x confidence) is the value that accumulates on it over time.

📚 Sources

  1. Splunk Docs — Configure correlation searches in Splunk Enterprise Security. help.splunk.com/en/splunk-enterprise-security-7/administer/7.3/correlation-searches
  2. Splunk Docs — Incident Review dashboard and notable events. help.splunk.com/en/splunk-enterprise-security
  3. Splunk Docs — Overview of the Splunk Common Information Model (CIM 8.5.0, 2026). help.splunk.com/en/splunk-enterprise/common-information-model/8.5/introduction/overview-of-the-splunk-common-information-model
  4. Splunk Docs — How risk-based alerting works in Splunk Enterprise Security (risk objects, scores, risk notables). help.splunk.com/en/splunk-enterprise-security-7/risk-based-alerting/7.3/introduction/how-risk-based-alerting-works-in-splunk-enterprise-security
  5. Splunk Docs — Configure adaptive response actions & threat intelligence KV Store collections. help.splunk.com/en/splunk-enterprise-security-8/administer/8.5/detections/configure-adaptive-response-actions-for-detections-in-splunk-enterprise-security
  6. Splunk Docs — Release notes for Splunk Enterprise Security 8.5 (detections, findings, Mission Control), 2026. help.splunk.com/en/splunk-enterprise-security-8/release-notes-and-resources/8.5/splunk-enterprise-security-release-notes/release-notes-for-splunk-enterprise-security

What's next?

Got ES? Next, master SPL — the Search Processing Language — so you can actually write the correlation-search logic (search, stats, tstats, eval, transaction) that powers every notable and risk rule.

Next · All interview lessons → Practice on exam.techclick.in →