Triage findings and finding groups in Splunk Enterprise Security
Triage findings and finding groups on the Mission Control page in Splunk Enterprise Security by assigning them an owner and modifying the status. Review the list of findings and finding groups in the analyst queue for potential security incidents that require further investigation.
To triage a finding or finding group, follow these steps:
- In Splunk Enterprise Security, select Mission Control to find the list of findings and investigations in the analyst queue.
- Select the name of a finding or finding group that you want to triage from the analyst queue.
- Triage the finding or finding group by configuring your desired fields such as Owner, Status, Urgency, or Disposition.
- (Optional) Review the associated risk scores to help you determine if the finding is a potential threat.
- (Optional) Open the Detection that generated the finding.
- (Optional) Select the Drill-down search to open a predefined search and gather additional context.
Finding groups show a maximum of only 100 findings and intermediate findings. To see a complete list of all the findings contributing to a finding group, select the DEFAULT_FBD_DRILLDOWN link. Selecting the drill-down search link opens the search page in a new tab.
- (Optional) Review Included findings or Related investigations.
- (Optional) View Adaptive responses.
- (Optional) Add a note.
See also
For more details on triaging findings and investigations in Splunk Enterprise Security, see the product documentation:
Overview of Mission Control in Splunk Enterprise Security | Start investigations in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1, 8.0.2
Feedback submitted, thanks!