Splunk® Enterprise Security

Use Splunk Enterprise Security

Download manual as PDF

Splunk Enterprise Security version 4.6.x is available only to Splunk Cloud subscribers.
This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Create and track investigations in Splunk Enterprise Security

Track your investigations into security incidents on an investigation timeline. This tool lets you visualize and document the progression of an incident and the steps you take during your investigation. Add notable events, other events, and information from your action history.

Start an investigation

You can start an investigation in several ways in Splunk Enterprise Security.

By default, users with the ess_admin and ess_analyst roles can start an investigation. See Access to investigations.

Start an investigation

Start an investigation from the Investigations dashboard.

  1. Click Create New Investigation.
  2. Type a title.
  3. (Optional) Type a description.
  4. Click Save.

Start an investigation from the investigation bar

When viewing dashboards in Splunk Enterprise Security, you can see an investigation bar at the bottom of the page. You can use the investigation bar to track your investigation progress from any page in Splunk Enterprise Security.

  1. Click the plus icon to create an investigation.
  2. Type a title.
  3. (Optional) Type a description.
  4. Click Save.

The investigation is loaded in the investigation bar.

Track an investigation

Track the progress of your investigation into a potential security incident, or plot the timeline of an attack, exfiltration, or other time-based security incident. While you conduct your investigation using Splunk Enterprise Security, you can add notable events or Splunk events that add insight to the investigation. Add searches, suppression filters, and dashboard views to the investigation from your action history. See Your action history.

Record important investigation steps that you take, such as phone, email, or chat conversations as notes on the timeline. You can use notes to add relevant information like links to online press coverage, tweets, or upload screenshots and files.

You can track an investigation using the investigation bar, maintaining context for your investigation as you move across different dashboards in Enterprise Security. This screen image shows the investigation bar with an investigation loaded.

  • Load an existing investigation timeline into the bar by clicking the all investigations icon and selecting an investigation. You can only add investigations to the investigation bar if you are a collaborator with write permissions on the investigation.
  • Click the toggle timeline icon to view a timeline view of your investigation and review the progression of events in the investigation.

Add a notable event to an investigation

You can add a notable event to an investigation from the Incident Review dashboard. See Add a notable event to an investigation.

Add a Splunk event to an investigation

  1. Expand the event details to see the Event Actions menu and other information.
  2. Click Event Actions and select Add to Investigation.
  3. A tab opens. Select from existing investigations, or create one.
  4. Click Save.

Add an entry from your action history to an investigation

The action history stores a history of the actions that you have performed in Splunk Enterprise Security, such as searches that you have run, dashboards you have viewed, and per-panel filtering actions that you have performed.

Add an entry from your action history to an investigation from a dashboard with the investigation bar. You can filter action history items by type or time to find the action history items.

  1. From the investigation bar, click the action history icon.
  2. Find the actions that you want to add to the investigation.
    Screen image of the action history items for an investigator.
    1. The most recent actions that you've taken display in the action history dialog box. You can only add actions from your own action history.
    2. Search, sort by time, or filter by action type (search run, dashboard viewed, panel filtered, notable status change, or notable events suppressed) to locate the action you want to add.
    3. For searches, click the plus sign to view the full search string and verify that you are adding the correct search.
  3. Select the check box next to the action or actions that you want to add to the investigation timeline.
  4. Click Add to Investigation.
    The actions are added to the investigation that you are viewing or that is selected in the investigation bar.

See Your action history.

Add a note

Add a note to an investigation to record investigation details or add attachments. You can add a note from dashboards in Splunk Enterprise Security.

  1. From the investigation bar, click the notes icon.
  2. Type a title.
    For example, "Phone conversation with police."
  3. (Optional) Select a time. The default is the current date and time.
    For example, select the time of the phone call.
  4. (Optional) Type a description.
    For example, a note to record a phone conversation might include the description: Called the police. Spoke with Detective Reggie Martin. Discussed an employee stealing identities from other employees.
    This screen image shows adding a note to an investigation
  5. (Optional): Attach a file to the note.
    1. From the note, click the paperclip icon or drag the file onto the note.
    2. Select a file to add from your computer.
      The maximum file size is 4 MB. You can add multiple files to a note. The first file you add to the note previews on the investigation timeline.
  6. Click Add to Investigation to add the note to the open investigation or click Save as Draft.

Note: When you save a note as a draft, it stays associated with the investigation that was selected when you created the note but does not appear on the investigation. Retrieve draft notes by clicking the all draft notes icon.
This screen image shows example draft notes

Make changes to investigation entries

Make changes to the entries on an investigation from the list view or the timeline view.

Delete a single investigation entry from the timeline view

  1. Find the entry on the timeline view.
  2. Click Action > Delete Entry.
  3. Click Delete to confirm deleting the entry.

Delete investigation entries from the list view

  1. Click List to view the investigation as a list of entries.
  2. Select the check box next to the investigation entries that you want to delete.
  3. Click Action and select Delete.
  4. Click Delete to confirm deleting the entry.

Change a note

  1. Find the note in the investigation and open the note for editing.
    1. From the timeline view of the investigation click Action > Edit Note
    2. From the list view of the investigation click Edit in the Actions column.
  2. Make changes. For example, add a new attachment and add a sentence to the description describing the new attachment.
  3. Remove a file attachment by clicking the X next to the file name.
  4. Click Save.

Close an investigation

You can indicate that na investigation is closed in several ways.

  • Change the title to include the word "Closed" so that you can filter on closed investigations on My Investigations.
  • Add a note at the end of the investigation to identify the investigation as closed.

Change the title and description of an investigation

You can also change the title and description of an investigation. For example, change the name of the investigation as your investigation progresses to more accurately describe the security incident you are investigating.

  1. From the investigation bar, click the edit investigation icon. From the investigation view, click Edit.
  2. Change the title or description.
  3. Click Save.

Run a quick search from the investigation bar

Run a search without opening the search dashboard by clicking Quick Search the quick search icon on the investigation bar.

  • Add the search to the investigation in the investigation bar by clicking Add to Investigation.
  • Use the Event Actions to add specific events in the search results to an investigation.
  • To save the search results at investigation time, click Export to export the search results as a CSV file. Add the search results as an attachment to a note on the investigation.
  • Click Open in Search to view the search results on the Search dashboard.
  • Enlarge or shrink your view of the search results by clicking and dragging the corner of the window. Double click to expand the search view to cover most of your screen, or double click again to shrink it.

Collaborate with another analyst

You can collaborate with other analysts on an investigation.

Add a collaborator to an investigation

  1. Open the investigation that you want to add a collaborator to.
  2. Click the add collaborators icon.
  3. Type the name of the person you want to add and select their name from the list to add them to the investigation. This screen image shows the list of collaborators that appear when you click the add collaborators plus icon.
  4. Their initials appear in a circle to confirm that they were added.

You can add any Splunk user in your deployment as a collaborator. By default, a collaborator has write permissions on the investigation.

View the collaborators assigned to an investigation

You can view the collaborators assigned to an investigation from an individual investigation or from the Investigations dashboard.

  • Hover over the collaborator icons to see the names of the collaborators on your investigation.
  • If a collaborator does not have write permissions for an investigation, the icon is gray and (read-only) is appended to their name.
  • Click the icon of a collaborator to see information about them. See their name and the permissions that the user has for the investigation.

This screen image shows the name and permissions options that show when you click a collaborator icon.

Make changes to the collaborators on an investigation

If you are a collaborator on an investigation with write permissions, you can change the permissions of other collaborators on the investigation.

  1. Click the icon of a collaborator.
  2. Change the Write permissions. By default, all collaborators have Yes for Write permissions. All investigations must have at least one collaborator with write permissions.

You can remove a collaborator if they are not the only collaborator on the investigation with write permissions.

  1. Click the icon of a collaborator.
  2. Click Remove.

Review an investigation

Revisit past investigations, or view a current investigation by clicking the title from the investigation bar or from the Investigations dashboard. Users with the capability to manage all investigations can view all investigations. Only collaborators on an investigation with write permissions can edit an investigation. See Access to investigations.

Review an investigation for training or research purposes. Click an entry on an investigation to see all details associated with it.

  • For notes with file attachments, click the file name to download the file attachment.
  • For notable events, click View on Incident Review to open the Incident Review dashboard filtered on that specific notable event.
  • For action history entries, you can repeat the previously-performed action. For a search action history entry, click the search string to open it in search. For a dashboard action history entry, click the dashboard name to view the dashboard.

ES42 Timeline Big.png

Gain insight into an attack or investigation by viewing the entire investigation timeline or view only part of it by expanding or contracting the timeline. ES42 Timeline Zoom.png

Click the timeline to move it and scan the entries. View a chronological list of all timeline entries by clicking the list icon, or refine your view of the timeline using filters. You can filter by type or use the Filter box to filter by title.

Share or print an investigation

To share an investigation with someone that does not use Splunk Enterprise Security, such as for auditing purposes, you can print any investigation or save any investigation as a PDF.

  1. From the investigation, click the print icon. Splunk Enterprise Security generates a formatted version of the investigation timeline with entries in chronological order.
  2. Print the investigation or save it as a PDF using the print dialog box options.

Example investigation workflow

  1. You are notified of a security incident that needs investigation through a notable event, an alert action, or by an email, ticket from the help desk, or a phone call.
  2. Create an investigation in Splunk Enterprise Security.
  3. If you must work with someone else on the investigation, add them as a collaborator.
  4. Investigate the incident. While you investigate, add helpful or insightful steps to the investigation.
    1. Run searches, adding useful searches to the investigation from your action history with the investigation bar or relevant events using event actions. This makes it easy to replicate your work for future, similar investigations, and to make a comprehensive record of your investigation process.
    2. Filter dashboards to focus on specific elements, like narrowing down a swim lane search to focus on a specific asset or identity on the asset or identity investigator dashboards. Add insightful filtering actions from your action history to the investigation using the investigation bar.
    3. Triage and investigate potentially related notable events. Add relevant notable events to the investigation.
    4. Add notes to record other investigation steps, such as notes from a phone call, email or chat conversations, links to press coverage or social media posts. Upload files like screenshots or forensic investigation files.
  5. Complete the investigation and add a note to record a summary of your findings.

Your action history

While you investigate an attack or other security incident, actions that you take in Splunk Enterprise Security are recorded in your action history. You can only view your own entries in your action history. After you add an item to an investigation, all collaborators on the investigation can view that entry.

Your action history tracks the following types of actions using saved searches:

  • Dashboards you visit
  • Searches you run
  • Per-panel filtering actions you take
  • Changes you make to a notable event
  • Changes you make to the suppression filters of a notable event

See Data sources for investigations.

Splunk Enterprise Security tracks these actions to help you add context to an investigation, audit an investigation, and give a complete history of actions taken during an investigation that resulted in relevant findings. For example, if you run a search that gives helpful information for an investigation, you can add that search to the investigation. You can then find that search string in the investigation, run the search again, or revisit a search to save it as a report when the investigation is over.

PREVIOUS
Included adaptive response actions with Splunk Enterprise Security
  NEXT
Manage security investigations in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.6.0 Cloud only


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters