Splunk® Enterprise Security

Administer Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Manage and customize investigation statuses in Splunk Enterprise Security

Starting in version 5.0.0, you can add statuses to investigations. After upgrading to this version, investigations that did not have a status are assigned the New status.

To change the status of an investigation, an analyst must have the transition_reviewstatus-<x>_to_<y> capability for the statuses that they want to transition between. The ess_analyst role and the ess_admin role have those capabilities for all statuses by default. Modifying status transitions for investigations modifies these capabilities.

To make changes to statuses as an analyst, you must have the edit_reviewstatuses capability. The ess_admin role has this capability by default. See Configure users and roles in the Installation and Upgrade Manual.

Create an investigation status

Create a status for analysts to select when performing an investigation.

If you restrict status transitions, update status transitions after creating a status, otherwise analysts will be unable to select the new status. See Restrict status transitions for investigations in this topic.

  1. From the Enterprise Security toolbar, select Configure > Incident Management > Status Configuration.
  2. (Optional) Select the Investigation tab to review existing investigation statuses.
  3. Select Create New Status > Investigation.
  4. Type a Label that appears as the name of the status on the investigation.
    For example, Waiting on Desktop IT.
  5. (Optional) Type a Description that appears on the Status Configuration page to describe the status.
    For example, Investigation is waiting for desktop IT to perform additional remediation or forensics steps.
  6. (Optional) Select the check box for Default Status to set this status as the default for newly-created investigations.
  7. (Optional) Select the check box for End Status to set this status as a possible last status for an investigation.
  8. (Optional) Deselect the check box for Enabled to create the status without allowing anyone to use it yet.
  9. Update the user roles that are able to transition an investigation from this new status, for example Waiting on Desktop IT, to another status, such as Closed. If you do not select any roles that can transition from this status to another one, no one will be able to move the investigation to a different status after transitioning the investigation to this status.
  10. Click Save.

Restrict status transitions for investigations

The status transitions that can be made on an investigation define the path of an investigation. By default, an investigation in any status can be changed to any other status. For example, someone can change the status of an investigation in the New status to any other status, such as Closed.

If you create a new notable with a custom status without assigning any status transitions to the notable state, the notable status does not appear in any of the ES drop down menus such as the Incident Review page or correlation searches. You must set at least one status transition for the new notable state.

You can restrict the statuses that analysts can choose when investigating. Determine which statuses to require, and whether analysts must follow a specific sequence of statuses before completing an investigation. Determine whether any roles can bypass the full sequence of statuses.

This example walks you through setting up restricting status transitions for analysts. Restrict status transitions so that analysts must follow a path from New, to In Progress or Pending, to Resolved, then to Closed.

1 2 3 4
New In Progress
Pending
Resolved Closed


Prerequisite You must have the ess_admin role or your role must be assigned the Edit Statuses capability. For more information about user roles and capabilities, see Configure users and roles in the Installation and Upgrade Manual.


  1. On the Splunk Enterprise Security toolbar, select Configure > Incident Management > Status Configuration.
  2. Click the Investigation tab.
  3. Restrict the transitions from the New status. Select the New status to open the Edit Investigation Status page.
  4. In Status Transitions, select the roles for the Resolved status and deselect the check box for the ess_analyst role.
  5. Select the roles for the Closed status and deselect the check box for the ess_analyst role.
  6. Click Save to save the changes to the New status.
  7. Restrict the transitions on the In Progress and Pending statuses to prevent the ess_analyst role from transitioning to New or to Closed.
  8. Click the Investigation tab and select the In Progress status.
  9. In Status Transition, select the roles for the New status and deselect the check box for the ess_analyst role. Repeat for the Closed status.
  10. Click Save to save the changes to the In Progress status. Repeat those steps for the Pending status.
  11. Restrict the Resolved status. Click the Investigation tab and select the Resolved status.
  12. In Status Transition, select the roles for the New status and deselect the check box for the ess_analyst role. Repeat for the In Progress and Pending statuses.
  13. Click Save to save the changes to the Resolved status.
  14. Restrict the transitions for the Closed status. Click the Investigations tab and select the Closed status.
  15. In Status Transition, select the roles for the New status and deselect the check box for the ess_analyst role. Repeat for the In Progress, Pending, and Resolved statuses.
  16. Click Save to save the changes for the Closed status.
Last modified on 16 March, 2022
Administer and customize the investigation workbench   Create a workbench panel workflow action in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters