Start an investigation in Splunk Enterprise Security
You can start an investigation in several ways in .
- Start an investigation from Incident Review while triaging notable events. See Add a notable event to an investigation.
- Start an investigation with an event workflow action. See Add a Splunk event to an investigation.
- Start an investigation from the Investigations page.
- Start an investigation when viewing a dashboard using the investigation bar.
After you start an investigation, you can investigate assets and identities using the investigation workbench, and start adding details to the investigation.
By default, users with the ess_admin and ess_analyst roles can start an investigation.
Start an investigation from the Investigations page
Start an investigation from the Investigations page.
- Click Create New Investigation.
- Type a title.
- Select a status.
- (Optional) Type a description.
- Click Save.
Start an investigation from the investigation bar
When viewing dashboards in , you can see an investigation bar at the bottom of the page. You can use the investigation bar to track your investigation progress from any page in .
- Click the icon to create an investigation.
- Type a title.
- Select a status.
- (Optional) Type a description.
- Click Save.
The investigation is loaded in the investigation bar.
Investigations in | Investigate a potential security incident on the investigation workbench in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2
Feedback submitted, thanks!