Splunk® Enterprise Security

Use Splunk Enterprise Security

Download manual as PDF

Splunk Enterprise Security version 4.6.x is available only to Splunk Cloud subscribers.
This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Manage security investigations in Splunk Enterprise Security

You can manage, start, and track investigations on the Investigations dashboard. View or filter the investigations assigned to you, or create one. You can view all investigations that you collaborate on using this dashboard. Users with admin permissions can also view all investigations that exist in Splunk Enterprise Security.

This screen image shows the Investigations dashboard filtered on investigations assigned to me by a user that has administrator permissions.

By default, analysts that use this page only see investigations assigned to them unless they also have the capability to manage all investigations.

Manage your investigations

Manage ongoing investigations from the Investigations dashboard. You can see the titles, descriptions, creation times, and collaborators on the investigations assigned to you or on all investigations in Splunk Enterprise Security.

Filter investigations

Quickly find an investigation or refine the list of investigations by filtering. Type in the Filter box to search the title and description fields of investigations.

Delete investigations

You can delete individual or several investigations on the Investigations dashboard. After you delete a timeline, you cannot restore it. Assess the audit or research value of a timeline before deleting it.

  1. Select the check box next to the investigation or investigations you want to delete.
  2. Click Edit Selection and click Delete.
  3. Click Delete to confirm deleting the timeline.

Edit an investigation

Edit the title or description of an investigation by opening the investigation. Only collaborators with write permissions on an investigation can make changes to an investigation.

  1. Find the investigation you want to edit on the Investigations dashboard.
  2. Click the name of the investigation to open it.

See Create and track investigations in Splunk Enterprise Security.

Data sources for investigations

Splunk Enterprise Security stores investigation information in several KVStore collections. The investigations on the Investigations dashboard, items added to the investigation, and attachments added to the investigation each have their own collection. See Investigations in the Dashboard requirements matrix.

Investigation details from investigations created in pre-4.6.0 versions of Splunk Enterprise Security are stored in two KV Store collections: investigative_canvas, investigative_canvas_entries. Those collections are preserved in version 4.6.0 but the contents are added to the new investigation KV Store collections.

Action history data sources

Action history items do not immediately appear in your action history after you perform an action. You can only view action history items and add them to an investigation after the saved searches that create action history items run. By default, the searches run every two minutes. Five saved searches create action history items.

  • Dashboard Views - Action History
  • Search Tracking - Action History
  • Per-Panel Filtering - Action History
  • Notable Suppression - Action History
  • Notable Status - Action History

View the searches by navigating to Configure > Content Management and using the filters on the page. If you change these saved searches, action history items might stop appearing in your action history. To exclude a search from your action history, use the Action History Search Tracking Whitelist lookup. See Configure lists and lookups.

Access to investigations

Users with the ess_admin role can create, view, and manage investigations by default. Users with the ess_analyst role can create and edit investigations. Make changes to capabilities with the Permissions dashboard.

  • To allow other users to create or edit an investigation, add the Use Investigations capability to their role. Users can only make changes on investigations on which they are a collaborator.
  • To allow other users to manage, view, and delete all investigations, add the Manage all investigations capability to their role.

See Configure users and and roles in the Installation and Upgrade Manual.

You can manage who can make changes to an investigation by setting write permissions for collaborators on a specific investigation. By default, all collaborators have write permissions for the investigations to which they are added, but other collaborators on the timeline can change those permissions to read-only. See Make changes to the collaborators on an investigation.

After a user creates an investigation, any user with the Manage all investigations capability can view the investigation, but only the collaborators on the investigation can edit the investigation. You cannot view the investigation KV Store collections as lookups.

PREVIOUS
Create and track investigations in Splunk Enterprise Security
  NEXT
Asset and Identity dashboards

This documentation applies to the following versions of Splunk® Enterprise Security: 4.6.0 Cloud only


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters