Splunk® Enterprise Security

Use Splunk Enterprise Security

Download manual as PDF

Download topic as PDF

Investigate a notable event on Incident Review in Splunk Enterprise Security

After you finish triaging notable events, begin your investigation. Use the available fields on a notable event to assess the urgency, contributing events, and risk scores associated with the notable event.

Open the event details to learn more about a notable event.

  • Review the History to see the recent investigation activity on the notable event. Click View all recent activity for this Notable Event to see analyst comments, status changes, and other activities for the event.
  • Determine if the notable event is part of an existing investigation by reviewing the Related Investigations section. Click the name of the investigation to open it.
  • See which correlation search generated the notable event. Click the name of the correlation search to make changes to or review the correlation search to understand why the notable event was created.
  • View the Contributing Events that caused the notable event to be created.
  • Review the risk scores listed for assets and identities involved in a notable event. Click a risk score to open the Risk Analysis dashboard filtered on that asset or identity.
  • If one original event created a notable event, you can see the full details of the original event.
  • Review the Adaptive Responses to see which adaptive response actions have been performed for this notable event, whether the actions were successfully performed, and drill down for more details. Click the name of the response action to see potential results generated by this action's invocation. Click View Adaptive Response Invocations to see the raw audit events for the response actions associated with this correlation search. It takes up to five minutes for updates to appear on this table.
  • Review the Next Steps to see if any next steps for notable event triage are defined.
  • Click Create Short ID to create a short ID to share with other analysts. You can also share a notable event with a link. See Take action on a notable event on Incident Review in Splunk Enterprise Security.

Find the sequenced events generated by the event sequence template

Once you have created a sequence template, and it has reached the end state, the output is listed as a sequenced event in the Incident Review dashboard. See Find the sequenced events generated by the event sequence template.

PREVIOUS
Triage notable events on Incident Review in Splunk Enterprise Security
  NEXT
Take action on a notable event on Incident Review in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.2.0, 5.2.1, 5.2.2, 5.3.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters