Track your investigations into security incidents on an investigation timeline. This tool allows you to visualize and document the progression of an incident and the steps you take during your investigation. Add notable events, Splunk events, and add information from your investigator journal, which logs items in your action history.
Start an investigation
You can start a new investigation from many views in Enterprise Security.
- Start an investigation from Incident Review while triaging notable events.
- Start an investigation when viewing a dashboard using the Investigation Bar. See Investigation Bar in this manual.
- Start an investigation from My Investigations.
- Start an investigation with an event workflow action. See Add a notable or Splunk event.
By default, only admin users can start a new investigation. See Access to timelines for more.
Track an investigation
Track the progress of your investigation into a security incident, or plot the timeline of an attack, exfiltration, or other time-based security incident. As you conduct your investigation using Splunk Enterprise Security, you can add notable events or Splunk events that add insight to the investigation timeline. Add searches, suppression filters, and dashboard views to the timeline from your action history. See Your action history.
Record other important investigation steps that you take, like phone, email, or chat conversations as notes on the timeline. You can also use the notes feature to add other relevant information like links to online press coverage, tweets, or upload screenshots and other files.
Add a notable or Splunk event
You can add a notable event to an investigation timeline from the Actions menu on the Incident Review dashboard.
Add a Splunk event to an investigation from any dashboard that displays source events, or after using the drilldown to view source events.
- Expand an event to see the Event Actions menu and other details.
- Click Event Actions and select Add to Investigation.
- A new tab opens. Select from existing investigations, or create a new one.
- Click Save.
Add an entry from your action history
Add an entry from your action history in the investigator journal.
- Click Create New Entry and select Action History.
- Locate the actions that you want to add to the investigation timeline.
- The most recent actions that you've taken display in the action history dialog box. You can only add actions from your own investigator journal.
- Sort by time or filter by action type (search run, dashboard viewed, panel filtered, notable status change, or notable events suppressed) to locate the action you want to add.
- For search actions, click the plus sign to view the full search string and verify that you are adding the correct search.
- Select the checkbox next to the action or actions that you want to add to the investigation timeline.
- Click Add to Investigation.
See Your action history for more detail.
Add a note
Add a note to an investigation when viewing the timeline.
- Click Create New Entry and select Note.
- Enter a title.
For example, "Phone conversation with police"
- Select a time. The default is the current date and time.
For example, select the time of the phone call.
- Type a description. If you do not enter a title, the description creates a title.
For example, a note to record a phone conversation could include a description: Called the police. Discussed an employee stealing identities from other employees.
- (Optional): Upload a file attachment.
- From the note, click the paperclip icon.
- Drag and drop a file or click Select File to add a file from your computer.
The maximum file size is 4 MB. You can only add one file to a note.
- Click Add to Investigation to add the note to the open investigation. If you're in the middle of multiple investigations, click Save for Later to save the note without adding it to the investigation you're currently viewing.
Add entries using the investigation bar
You can add new notes and items from your action history to an investigation timeline from any dashboard in Splunk Enterprise Security. If you are in the middle of an investigation, you can add something to a timeline using the investigation bar visible at the bottom of each page. See Investigation Bar in this manual.
Modify timeline entries
Edit or remove individual entries
- Locate the timeline entry you want to modify.
- In the Actions column, click Edit or Remove.
Remove multiple entries
- Select the checkbox next to the entries you want to remove.
- Click Edit Selection and select Remove.
Modify a note
- Locate the note in the list and click Edit.
- Remove a file attachment.
- Click the paperclip icon.
- Click the X next to the file name.
- Replace a file attachment.
- Click the paperclip icon.
- Click Select File and choose the file from your computer or drag and drop a new file into the edit window.
- Click Note Content.
- Click Save to save your changes.
Collaborate with another investigator
In many cases you will need to collaborate with another investigator on an investigation timeline. This enables you to track the same investigation in one place, though many people may be working on it.
Add a collaborator to an investigation timeline
- Click the plus icon.
- Type their name and select them from the drop-down list to add them.
- Their initials will appear in a circle to confirm that they were added. For example, an analyst named Douglas Alan Denon is listed as "DA", while an analyst named Tricia Thompson is "TT".
You can add any Splunk user as a collaborator. Owners and collaborators have the same permissions.
Add all collaborators to an investigation timeline
- Click the plus icon.
- Click Add All.
All users in Splunk Enterprise Security are added as collaborators to the timeline.
View the collaborators assigned to an investigation
- Hover your mouse over the collaborator icons to see their names. If a person does not have a name listed in Splunk, their username will display instead.
- Investigation owners will display Owner next to their name. For example, "Tricia Thompson (Owner)".
To remove someone, hover your mouse over their circle and click the x that appears.
Review an investigation
Revisit past investigations, or view a current investigation by clicking the title from the Investigation Bar or from My Investigations. Only the owner of and collaborators added to that timeline can view and edit it. See Access to timelines for more.
Click an entry to see all details associated with it.
- For notes with file attachments, click the file name to download the file attachments.
- For notable events, click View on Incident Review to open the Incident Review dashboard filtered on that specific notable event.
- For action history entries, you can replicate the previously-performed action. For a search action history entry, click the search string to open it in search. For a dashboard action history entry, click the dashboard name to view the dashboard.
Gain greater insight into a particularly active attack or investigation, or see a big-picture view of an investigation, by expanding or contracting the timeline. Click the timeline to move the timeline and scan the entries. View a chronological list of all timeline entries by clicking the list icon, or refine your view of the timeline using filters. You can filter by type or use the Filter box to filter by title.
To share an investigation with someone outside of Splunk Enterprise Security, such as for auditing purposes, you can print any timeline or save any timeline as a PDF.
- From the timeline, click Print. Splunk ES generates a formatted version of the timeline with entries in chronological order.
- Print the timeline investigation, or save it as a PDF using the print dialog.
Example investigation workflow
- You are notified of a security incident that needs investigation, whether through a notable event, an alert action, or another means such as an email, ticket from the help desk, or a phone call.
- Create an investigation in Splunk Enterprise Security.
- If you need to work with someone else on the investigation, add them as a collaborator to the investigation.
- Investigate the incident. As you investigate, add helpful or insightful steps to the investigation timeline.
- Perform searches, adding helpful searches to the timeline from your action history with the investigation bar or relevant events to the timeline using event actions. This makes it easy to replicate your work for future, similar investigations, and to provide a comprehensive record of your investigation process.
- Filter dashboards to focus on specific elements, like narrowing down a swimlane search to focus on a specific asset or identity on the asset or identity investigator dashboards. Add insightful filtering actions from your action history to the timeline using the investigation bar.
- Triage and investigate related notable events. Add relevant notable events to the timeline.
- Add notes to record other important investigation steps, like notes from a phone call, email or chat conversations, links to press coverage or social media posts. Upload important files like screenshots or forensic investigation files.
Your action history
As you investigate an attack or other security incident, actions that you take in Splunk Enterprise Security are recorded in your investigator journal. Only you can view entries in your investigator journal. Once you add an item to an investigation timeline, all collaborators on the timeline can view that entry.
Your investigator journal tracks the following types of actions using saved searches.
- Dashboards you visit.
- Searches you run.
- Per-panel filtering actions you take.
- Changes you make to a notable event.
- Suppression filters you add to a notable event.
See Data sources for investigations in this manual.
Splunk ES tracks these actions to help you add context to an investigation timeline, better audit an investigation, and provide a complete history of actions taken during an investigation that resulted in relevant findings. For example, if you perform a search that provides helpful information for an investigation, you can add that search to the investigation timeline. You can then locate that search string within the investigation timeline, run the search again, or revisit a helpful search to set it up as a report after the investigation is over.
Configure correlation searches
This documentation applies to the following versions of Splunk® Enterprise Security: 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4