Use the Threat topology visualization in Splunk Enterprise Security to isolate risk and review the finding beyond the infected user, improve situational awareness, and get a comprehensive view of the entire security operations center (SOC).

The Threat topology visualization helps you to identify how the different entities that create a finding relate to each other. Investigating the potential connections between multiple entities that relate to a particular threat is especially useful when the aggregated risk score of the finding is high. You can display a maximum of 20 entities that pertain to a single threat object in the Threat topology visualization.

Follow these steps to analyze findings using the Threat topology visualization:

1. In the Splunk Enterprise Security app, go to the Analyst queue on the Mission Control page.
2. In the Type column filter dropdown list, select Findings and select Apply to display the findings that have associated intermediate findings.
3. For any finding, select the number of intermediate findings in the Intermediate findings column.
4. Select the Threat topology option to display the threat topology visualization of the entities for the finding.
5. Select any entity to highlight the related entities or threat objects.
6. Select an entity to display details such as risk scores, priority, and so on.
   You can also select View in Risk analysis to analyze the entity in the Risk analysis dashboard.
   You can also select View in Threat activity to analyze the threat object in the Threat activity dashboard.
7. Specify the time range to drill down further into the intermediate finding created by the entity.