Splunk® Enterprise Security

Use Splunk Enterprise Security

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Refer to your action history in Splunk Enterprise Security

While you investigate an attack or other security incident, actions that you take in Splunk Enterprise Security are recorded in your action history. You can only view your own entries in your action history. After you add an item to an investigation, all collaborators on the investigation can view that entry.

Your action history tracks the following types of actions using saved searches:

  • Dashboards you visit
  • Searches you run
  • Per-panel filtering actions you take
  • Changes you make to a notable event
  • Changes you make to the suppression filters of a notable event

Splunk Enterprise Security tracks these actions to help you add context to an investigation, audit an investigation, and give a complete history of actions taken during an investigation that resulted in relevant findings. For example, if you run a search that gives helpful information for an investigation, you can add that search to the investigation. You can then find that search string in the investigation, run the search again, or revisit a search to save it as a report when the investigation is over. See Add an entry from your action history to an investigation for more about using your action history when investigating in Splunk Enterprise Security.

Action history items do not immediately appear in the action history list. Five saved searches create action history items. After these saved searches run, you can view the action history items and add them an investigation.

Last modified on 18 January, 2018
Share or print an investigation in Splunk Enterprise Security
Analyze risk in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters