Splunk® Enterprise Security

Use Splunk Enterprise Security

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Add details to an investigation in Splunk Enterprise Security

As an analyst working on an investigation, add details and evidence to your investigation by adding events, actions, and notes. While you conduct your investigation using Splunk Enterprise Security, you can add notable events or Splunk events that add insight to the investigation. Add searches, suppression filters, and dashboard views to the investigation from your action history. Record important investigation steps that you take, such as phone, email, or chat conversations as notes on the investigation. You can use notes to add relevant information like links to online press coverage, tweets, or upload screenshots and files.

Run a quick search from the investigation bar

Run a search without opening the search dashboard by clicking Quick Search the quick search icon on the investigation bar.

  • Add the search to the investigation in the investigation bar by clicking Add to Investigation.
  • Use the Event Actions to add specific events in the search results to an investigation.
  • To save the search results at investigation time, click Export to export the search results as a CSV file. Add the search results as an attachment to a note on the investigation.
  • Click Open in Search to view the search results on the Search dashboard.
  • Enlarge or shrink your view of the search results by clicking and dragging the corner of the window. Double click to expand the search view to cover most of your screen, or double click again to shrink it.

Add a notable event to an investigation

You can add a notable event to an investigation from the Incident Review dashboard. See Add a notable event to an investigation.

If the status of a notable event changes, or if an adaptive response action is run from the notable event, the investigation is updated with that information.

Add a Splunk event to an investigation

Add an event from the Splunk search page to an investigation. You can only add an event to an investigation from the search page in the Splunk Enterprise Security context.

You can only add an event from the search page to an investigation if you are in Splunk

  1. Expand the event details to see the Event Actions menu and other information.
  2. Click Event Actions and select Add to Investigation.
  3. A tab opens. Select from existing investigations, or create one.
  4. Click Save.

Add an entry from your action history to an investigation

The action history stores a history of the actions that you have performed in Splunk Enterprise Security, such as searches that you have run, dashboards you have viewed, and per-panel filtering actions that you have performed.

Add an entry from your action history to an investigation from a dashboard with the investigation bar. You can filter action history items by type or time to find the action history items.

  1. From the investigation bar, click the action history icon.
  2. Find the actions that you want to add to the investigation.
    Screen image of the action history items for an investigator.
    1. The most recent actions that you've taken display in the action history dialog box. You can only add actions from your own action history.
    2. Search, sort by time, or filter by action type (search run, dashboard viewed, panel filtered, notable status change, or notable events suppressed) to locate the action you want to add.
    3. For searches, click the plus sign to view the full search string and verify that you are adding the correct search.
  3. Select the check box next to the action or actions that you want to add to the investigation timeline.
  4. Click Add to Investigation.
    The actions are added to the investigation that you are viewing or that is selected in the investigation bar.

See Refer to your action history.

Add a note to an investigation

Add a note to an investigation to record investigation details or add attachments. You can add a note from dashboards in Splunk Enterprise Security.

  1. From the investigation bar, click the notes icon.
  2. Type a title.
    For example, "Phone conversation with police."
  3. (Optional) Select a time. The default is the current date and time.
    For example, select the time of the phone call.
  4. (Optional) Type a description.
    For example, a note to record a phone conversation might include the description: Called the police. Spoke with Detective Reggie Martin. Discussed an employee stealing identities from other employees.
    This screen image shows adding a note to an investigation
  5. (Optional): Attach a file to the note.
    1. From the note, click the paperclip icon or drag the file onto the note.
    2. Select a file to add from your computer.
      The maximum file size is 4 MB. You can add multiple files to a note. The first file you add to the note previews on the investigation timeline.
  6. Click Add to Investigation to add the note to the open investigation or click Save as Draft.

Note: When you save a note as a draft, it stays associated with the investigation that was selected when you created the note but does not appear on the investigation. Retrieve draft notes by clicking the all draft notes icon.
This screen image shows example draft notes

PREVIOUS
Start an investigation in Splunk Enterprise Security
  NEXT
Make changes to an investigation in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters