Investigate a notable event on Incident Review in Splunk Enterprise Security
After you finish triaging notable events, begin your investigation. Use the available fields on a notable event to assess the urgency, contributing events, and risk scores associated with the notable event.
Open the event details to learn more about a notable event.
- Review the History to see the recent investigation activity on the notable event. Click View all recent activity for this Notable Event to see analyst comments, status changes, and other activities for the event.
- Determine if the notable event is part of an existing investigation by reviewing the Related Investigations section. Click the name of the investigation to open it.
- See which correlation search generated the notable event. Click the name of the correlation search to make changes to or review the correlation search to understand why the notable event was created.
- View the Contributing Events that caused the notable event to be created.
- Review the risk scores listed for assets and identities involved in a notable event. Click a risk score to open the Risk Analysis dashboard filtered on that asset or identity.
- If one original event created a notable event, you can see the full details of the original event.
- Review the Adaptive Responses to see which adaptive response actions have been performed for this notable event, whether the actions were successfully performed, and drill down for more details. Click the name of the response action to see potential results generated by this action's invocation. Click View Adaptive Response Invocations to see the raw audit events for the response actions associated with this correlation search. It takes up to five minutes for updates to appear on this table.
- Review the Next Steps to see if any next steps for notable event triage are defined.
- Click Create Short ID to create a short ID to share with other analysts. You can also share a notable event with a link. See Take action on a notable event on Incident Review in Splunk Enterprise Security.
Triage notable events on Incident Review in Splunk Enterprise Security | Take action on a notable event on Incident Review in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1
Feedback submitted, thanks!