Investigate a notable on Incident Review in Splunk Enterprise Security
After you finish triaging notable events, begin your investigation. Use the available fields on a notable event to assess the urgency, contributing events, and risk scores associated with the notable event.
Open the event details to learn more about a notable event.
- Review the History to see the recent investigation activity on the notable event. Click View all recent activity for this Notable Event to see analyst comments, status changes, and other activities for the event.
- Determine if the notable event is part of an existing investigation by reviewing the Related Investigations section. Click the name of the investigation to open it.
- See which correlation search generated the notable event. Click the name of the correlation search to make changes to or review the correlation search to understand why the notable event was created.
- View the Contributing Events that caused the notable event to be created.
- Review the risk scores listed for assets and identities involved in a notable event. Click a risk score to open the Risk Analysis dashboard filtered on that asset or identity.
- If one original event created a notable event, you can see the full details of the original event.
- Review the Adaptive Responses to see which adaptive response actions have been performed for this notable event, whether the actions were successfully performed, and drill down for more details. Click the name of the response action to see potential results generated by this action's invocation. Click View Adaptive Response Invocations to see the raw audit events for the response actions associated with this correlation search. It takes up to five minutes for updates to appear on this table.
- Review the Next Steps to see if any next steps for notable event triage are defined.
- Click Create Short ID to create a short ID to share with other analysts. You can also share a notable event with a link. See Take action on a notable event on Incident Review in Splunk Enterprise Security.
Why are some of my contributing events missing?
There are some correlation searches that detect a lack of something. For example, the "Endpoint - Should Timesync Host Not Syncing - Rule" detects a lack of successful time synchronization events for a particular host. Another example is the "Audit - Expected Host Not Reporting - Rule" that detects a lack of data from a host.
When notable events are created for these hosts, it is possible that clicking the view all contributing events link from Incident Review will result in "No results found". You can use the time range picker to expand the time range for identifying when the lack of events occurred, but it's possible that "No results found" will persist because the host never did the thing it was supposed to do.
Find the sequenced events generated by the event sequence template
Once you have created a sequence template, and it has reached the end state, the output is listed as a sequenced event in the Incident Review dashboard. See Find the sequenced events generated by the event sequence template.
Triage notables on Incident Review in Splunk Enterprise Security
Take action on a notable on Incident Review in Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2