Splunk® Enterprise Security

Administer Splunk Enterprise Security

Manage analyst workflows using the analyst queue in Splunk Enterprise Security

Use the Analyst queue on the Mission Control page in Splunk Enterprise Security to view a list of findings and investigations in a centralized location for faster and easier triage.

You can triage findings for investigations as they are displayed on the Analyst queue. However, you cannot triage intermediate findings as they are not displayed on the Analyst queue.

You can configure whether a detection generates findings or intermediate findings. You can also group findings together as a finding group. Finding groups are displayed on the Analyst queue. You can expand the list of findings in a group in the Analyst queue.

The following actions can be performed on findings, finding groups, and investigations in Splunk Enterprise Security from the Analyst queue:

The following figure is a screenshot of how the Analyst queue is displayed on the Mission Control page in Splunk Enterprise Security:

Screenshot of the Analyst queue on the Mission Control page in Splunk Enterprise Security.

The following fields are displayed for the findings and investigations in the Analyst queue of the Mission Control page:

Field Description Example
Title Title of the finding or investigation. Possible phishing attack
ID Unique identifier for the finding or investigation in Splunk Enterprise Security. ES-79845
Type Identifies whether the listed item is a finding or an investigation. FINDING or INVESTIGATION
Entity Name of the entity (asset or identity) for which the finding or investigation was created. IP address such as 98.139.180.149
Risk score Numeric metric that shows the relative risk of the asset or identity such as a device or a user in your network environment for which the finding or investigation got created. 420
Findings Number of contributing findings in a finding group or an investigation. 4
Intermediate findings Number of intermediate findings in a finding group or an investigation. 9
Time Time stamp when the finding or investigation got created. Today, 10:20 AM
Disposition Identifies the threat level associated with the finding. Following are possible disposition values:
  • Undetermined
  • True Positive - Suspicious Activity
  • Benign Positive - Suspicious But Expected
  • False Positive - Incorrect Analytic Logic
  • False Positive - Inaccurate Data
Urgency Value calculated using the severity of the finding and the priority of the asset or identity involved. Following are possible urgency values:
  • Unknown
  • Low
  • Medium
  • Informational
  • High
  • Critical
Status Indicates the actions in the analyst workflow to address the finding or investigation. Following are possible status values
  • Unassigned
  • New
  • In-progress
  • Pending
  • Closed
Owner Owner assigned to review the finding or investigation. Owners are unassigned by default.

Turn off the enhanced workflow on the Mission Control page

Enhanced workflows to use shared views, saved views, table filters, and table columns on the Incident Review page is turned on by default. You can turn off the enhanced workflow if required.

Follow these steps to turn off the enhanced workflows on the Mission Control page in Splunk Enterprise Security:

  1. In the Splunk Enterprise Security app, select Configure.
  2. Select General Settings.
  3. Go to Enhanced workflows panel.
  4. Select Turn off.

    Turning off the enhanced workflow capability on the '''Mission Control''' page, deletes all existing saved views.

Notify an analyst of untriaged findings

You can use a detection SPL to notify an analyst if a finding is not been triaged.

Follow these steps to notify an analyst of findings that are not triaged:

  1. In the Splunk Enterprise Security app, select Security content.
  2. Select Content Management.
  3. Locate the Untriaged Notable Events detection using the filters.
  4. Modify the search, changing the finding owner or status fields as desired.
  5. Set the desired alert action.
  6. Save the changes.
  7. Turn on the Untriaged Notable Events detection.

Available features on the analyst queue in Splunk Enterprise Security

You can specify the time range for which you want to display findings and investigations in the Analyst queue. For example, select a time range such as 7 days in the Time range drop-down. The default time range is 24hours.

You can view the contributing findings in finding groups and investigations within the Analyst queue by selecting the caret next to the finding group or investigation. You can add a finding or a finding group into an investigation if it represents a security threat.

By using features such as filtering, saved views, shared views, and customizing table settings, you can surface or categorize findings and investigations by potential severity so that you can quickly audit, customize, triage, assign, and track security threats.

You can display a timeline visualization on the Mission control page for the findings and investigations in the Analyst queue by selecting Show timeline. You can also hide the timeline visualization by selecting Hide timeline. Additionally, you can zoom in, zoom out, and deselect specific findings and investigations on the timeline visualization.

You can display the urgency, status, owner, and domain distributions for the findings and investigations as chart visualizations by selecting Show charts. Additionally, you can hide the chart visualizations by selecting Hide charts.

You can add or remove a finding or an investigation directly from the Analyst queue. As a Splunk Enterprise Security administrator, you can also assign a finding or an investigation to yourself or view details. As an analyst, you can also assign a finding or an investigation to yourself or view details based on access permissions.

Assign a finding or an investigation using the analyst queue

Follow these steps to assign a finding or an investigation to yourself using the Analyst queue:

  1. In the Splunk Enterprise Security app, go to the Analyst queue on the Mission Control page.
  2. Select the three dots next to the finding or finding group to open a drop-down.
  3. Select Assign to me to assign the finding or an investigation to yourself based on access permissions.

View details of a finding or an investigation using the analyst queue

Follow these steps to add or remove a finding or a finding group from an investigation using the Analyst queue:

  1. In the Splunk Enterprise Security app, go to the Analyst queue on the Mission Control page.
  2. Select the three dots next to the finding or finding group to open a drop-down.
  3. Select Assign to me and view details to assign the finding or an investigation to yourself and view information on it based on access permissions.

Add or remove a finding or finding group from an investigation using the analyst queue

Follow these steps to add or remove a finding or a finding group from an investigation using the Analyst queue:

  1. In the Splunk Enterprise Security app, go to the Analyst queue on the Mission Control page.
  2. Select the three dots next to the finding or finding group to open a drop-down.
  3. Select Add to investigation to add a finding or a finding group to an investigation.
  4. Select Remove from investigation to remove a finding or a finding group from an investigation.


Run playbook for a finding or an investigation using the analyst queue

Follow these steps to run a playbook on a finding or investigation from the Analyst queue:

  1. In Splunk Enterprise Security, go to the Analyst queue on the Mission Control page.
  2. Locate a finding that you want to investigate further. Optionally use the search field, time filters, or both to focus the findings and investigations in the list.
  3. Select the box next to the finding or investigation that you want to investigate. Then select Run playbook.
  4. In the Run playbook window, select the playbook you want to run, then select Run playbook.
    Messages show the status while the playbook runs. To see the status of all playbook runs for this finding or investigation, select the finding or investigation. Then in the details panel, review the Automation history and adaptive responses section.
  5. Repeat these steps for additional findings or investigations. If you want to run the same playbook on several findings, investigations, or both, select the box next to each finding or investigation, then select Run playbook.

Suppress finding from the analyst queue

You can suppress findings from displaying on the Analyst queue. You can only suppress findings that are created by detections in the future.

Follow these steps to suppress findings from displaying on the Analyst queue:

  1. In the Splunk Enterprise Security app, go to the Analyst queue on the Mission Control page.
  2. Select the three dots next to the finding or finding group to open a drop-down.
  3. Select Suppress finding to open the Suppress finding dialog.
  4. In the Suppression name field, enter a name for the suppression.
  5. Specify the time for which you want to suppress the finding. For example, 1 day, 1 week, or Custom
  6. Expand Advanced and in the Description field, enter detailed information on the suppression.
  7. Select the fields based on which you want to suppress the findings. For example, event_hash, rule_name
  8. Select Save to save the suppression rule.

Run adaptive response actions using the analyst queue

You can run adaptive response actions from the Analyst queue on the Mission Control page. For more information on configuring and running adaptive response actions in Splunk Enterprise Security, see the product documentation:

Follow these steps to run adaptive response actions from the Analyst queue on the Mission Control page:

  1. In the Splunk Enterprise Security app, go to the Analyst queue on the Mission Control page.
  2. Select the three dots next to the finding or finding group to open a drop-down.
  3. Select Run adaptive response actions to open the Adaptive response actions dialog.
  4. Select the adaptive response actions to run for the finding or investigation from the list of recommended actions. You can also configure new adaptive response actions.
  5. Select Run to run the adaptive response action.

See also

For more information on the analyst workflow in Splunk Enterprise Security, see the product documentation:

Last modified on 25 November, 2024
Log files in Splunk Enterprise Security   Configure the settings for the analyst queue in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters