Manage investigations in Splunk Enterprise Security

As an Enterprise Security administrator, you can manage access to security investigations and support analysts by troubleshooting problems with their action history.

For more information about the analyst investigation workflow, see Investigations in Splunk Enterprise Security in Use Splunk Enterprise Security.

Manage access to investigations

Users with the ess_admin role can create, view, and manage investigations by default. Users with the ess_analyst role can create and edit investigations. Make changes to capabilities with the Permissions dashboard.

• To allow other users to create or edit an investigation, add the Use Investigations permission to their role. Users can only make changes on investigations on which they are a collaborator.
• To allow other users to manage, view, and delete all investigations, add the Manage All Investigations permission to their role.

See Configure users and and roles in the Installation and Upgrade Manual.

You can manage who can make changes to an investigation by setting write permissions for collaborators on a specific investigation. By default, all collaborators have write permissions for the investigations to which they are added, but other collaborators on the timeline can change those permissions to read-only. See Make changes to the collaborators on an investigation in Use Splunk Enterprise Security.

After a user creates an investigation, any user with the Manage All Investigations permission can view the investigation, but only the collaborators on the investigation can edit the investigation. You cannot view the investigation KV Store collections as lookups.

Data sources for investigations

stores investigation information in several KV Store collections. The investigations on the Investigations dashboard, items added to the investigation, and attachments added to the investigation each have their own collection. See Investigations in the Dashboard requirements matrix for Splunk Enterprise Security.

Investigation details from investigations created in pre-4.6.0 versions of Splunk Enterprise Security are stored in two KV Store collections: investigative_canvas and investigative_canvas_entries. Those collections are preserved in version 4.6.0 but the contents are added to the new investigation KV Store collections.

Troubleshoot investigation action history items

Action history items do not immediately appear in your action history after you perform an action. You can only view action history items and add them to an investigation after the saved searches that create action history items run. By default, the searches run every two minutes. Five saved searches create action history items.

• Dashboard Views - Action History
• Search Tracking - Action History
• Per-Panel Filtering - Action History
• Notable Suppression - Action History
• Notable Status - Action History

View the searches by navigating to Configure > Content Management and using the filters on the page. If you change these saved searches, action history items might stop appearing in your action history. To exclude a search from your action history, use the Action History Search Tracking Whitelist lookup. See Create and manage lookups in Splunk Enterprise Security.