Splunk® Enterprise Security

Use Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Investigate a potential security incident on the investigation workbench in Splunk Enterprise Security

Investigate assets and identities, or artifacts, involved in a potential security incident on the investigation workbench. After you create an investigation in , you can start using the workbench for that investigation. Each investigation has a separate workbench.

When you investigate artifacts on an investigation workbench, by default you see Context, Endpoint Data, and Network Data tabs. Those tabs contain panels that help you gain context into the assets and identities you investigate, endpoint-related data such as file system activity, and network data such as network traffic.

Add artifacts to the scope of your investigation

As part of your investigation on the workbench, you can add assets, identities, files, and URLs as artifacts to the scope of your investigation so that you can verify whether or not they are affected by, or participants in, the overall security incident.

For example, if you're investigating a malware outbreak at your organization, you can add hosts to the scope that you suspect are infected with malware without adding the associated events to the timeline and recording them as verifiably compromised. Add them to the scope first and review the relevant panels for additional context. If you discover that an artifact is part of the security incident you are investigating, you can add the event or detail that revealed that insight to the investigation to record that information for later.

You can add any value as an artifact on the workbench. Assets and identities added as artifacts to the scope are not limited to the assets and identities in the asset and identity framework in Splunk Enterprise Security.

Manually add artifacts to the scope of your investigation

When artifacts are extracted, duplicates are not created if they already exist in the investigation. You will see a notification that "the following artifacts already exist and have not been added." The existing artifact is not linked against the new notable event that would have caused the duplicate artifact to be created. This does not prevent you from manually adding a duplicate artifact.

You can manually add artifacts such as assets, identities, files, or URLs to the scope of your investigation on the workbench.

  1. From the ES menu bar, select Investigations.
  2. Open an investigation to view the workbench for that investigation.
  3. On the Artifacts panel, click Add Artifact.
    • To add one artifact, use the default Add artifact tab:
      1. For Artifact, type the value of the artifact.
      2. For Type, select the type of the artifact: Identity, Asset, File, or URL.
        The file artifact is a filename, file hash, or file path.
      3. (Optional) Type a description.
        For example, Personal computer infected by ransomware.
      4. (Optional) Type one or more labels to contextualize the entity. Press enter to add a label, or use a comma-separated entry for multiple labels.
        For example, ransomware, laptop, mac.
      5. (Optional) Click Expand Artifacts to look up the asset or identity in the asset or identity lookups and add the correlated artifacts to the investigation scope.

        Only assets and identities can be expanded.

    • To add multiple artifacts:
      1. Select the Add multiple artifacts tab.
      2. Select the Type: Identity, Asset, File or URL. All artifacts that you add must be the same type.
        The file artifact is a filename, file hash, or file path.
      3. You can use a comma or a line break as a delimiter. Select a Separator that delimits the list of assets or identities.
      4. Type or paste the values for the assets or identities, using the separator specified in the previous step.
      5. (Optional) Type a description to apply to all artifacts that you are adding.
        For example, Potentially-infected computers in the HR department.
      6. (Optional) Type one or more labels to apply to all artifacts that you are adding. Press enter to add a label, or use a comma-separated entry for multiple labels.
        For example, ransomware, laptop, mac.
  4. Click Add to Scope to add the artifacts to your investigation scope.

The artifacts that you add to your investigation scope manually are automatically selected so that you can click Explore and continue your investigation with the new artifacts.

The labels can be seen under the workbench tab if you hover over the artifact and select the information icon (i). Labels can also be seen under the summary tab.

Add artifacts from a workbench panel

If a workbench panel has drilldown enabled, you can add field values as artifacts from the panel.

  1. Open the investigation and view the workbench.
  2. Select artifacts and click Explore.
  3. In a panel, click a field value.
    The Add Artifact dialog box appears with the value already added.
  4. Select a Type for the artifact. Some types, such as IP addresses, are automatically detected.
  5. (Optional) Add a description for the artifact.
  6. (Optional) Add labels for the artifact.
  7. (Optional) Click Expand Artifacts to look up the asset or identity in the asset or identity lookups and add the correlated artifacts to the investigation scope.
  8. Click Add to Scope to add the artifact to your investigation scope.

The ability to add artifacts replaces any other drilldown that might exist on the panel. See Administer and customize the investigation workbench in Administer Splunk Enterprise Security.

Add artifacts from a raw event on the investigation

After you add an event to the investigation, you can add field values from the event as artifacts to your investigation scope.

  1. Open the investigation and view the Timeline of the investigation.
  2. Locate the event in the Slide View.
  3. Click Details to view a table of fields and values in the event.
  4. Click the value that you want to add to the investigation scope.
    The Add Artifact dialog box appears with the value already added.
  5. Select a Type for the artifact. Some types, such as IP addresses, are automatically detected.
  6. (Optional) Add a description for the artifact.
  7. (Optional) Add labels for the artifact.
  8. (Optional) Click Expand Artifacts to look up the asset or identity in the asset or identity lookups and add the correlated artifacts to the investigation scope.
  9. Click Add to Scope.

Adjust the time range of your investigation

If there are notable events on the investigation, the workbench searches over a suggested time range based on the times of the notable events on the investigation. Time analysis suggests a time range based on the _time value of the earliest and latest notable events on the investigation.

If there are no notable events on an investigation, the workbench uses your default time range settings. See Change the default time range in the Search Manual.

If a time range is defined in the XML or in the search of a prebuilt panel, that time range takes precedence over the time range that you choose on the workbench.

Add new tabs and profiles to the workbench

Your administrator can develop additional panels, tabs, and profiles, which you can then add to the workbench to further simplify your investigation process. See Administer and customize the investigation workbench.

Add the new profiles and tabs to an investigation workbench.

  1. Open an investigation and click Explore to explore artifacts on the workbench.
  2. Click Add Content.
  3. To load a profile on the workbench, click Load profile.
    1. Select a profile.
    2. Click Save.
  4. To add a tab to the workbench, click Add single tab.
  5. Select a profile or a tab.
    1. Click Save.

Tabs and profiles that you add to the investigation workbench disappear when you refresh the workbench. Only the default tabs display.


Cloud alerts use case

Add a single tab to the investigation workbench for importing cloud-alerts-related notable events into an investigation and getting context about what you are investigating.

See the previous add new tabs to the workbench section. Select the Alerts tab from the drop-down menu.

The pre-built panels in the Alerts tab reference investigative searches from the existing analytic stories that are related to infrastructure as a service, and they leverage the cloud-related fields in the Alerts data model. See Alerts.

You can see alert events over time by source, destination, user, and signature id. You can also see alert events over time by app for severity and by app for MITRE technique ID.

Cloud authentication use case

Add a single tab to the investigation workbench for importing cloud-authentication-related notable events into an investigation and getting context about what you are investigating.

See the previous add new tabs to the workbench section. Select the Authentication tab from the drop-down menu.

The pre-built panels in the Authentication tab reference investigative searches from the existing analytic stories that are related to infrastructure as a service, and they leverage the cloud-related fields in the Authentication data model. See Authentication.

The panels also support the concept of filtering based on the account ID. Expand the panels to full size, so that you can load all user activity across all your cloud vendor accounts, filter down to a specific account and specific user, or see which apps and agents are involved in privilege escalations (such as sudo su - or short-lived credentials for service accounts).

Cloud network traffic use case

Add a single tab to the investigation workbench for importing cloud-network-traffic-related notable events into an investigation and getting context about what you are investigating.

See the previous add new tabs to the workbench section. Select the Network Traffic tab from the drop-down menu.

The pre-built panels in the Network Traffic tab reference investigative searches from the existing analytic stories that are related to infrastructure as a service, and they leverage the cloud-related fields in the Network Traffic data model. See Network Traffic.

You can see network traffic details by source, destination, or device. Examples include: the top ports and protocols; accepted traffic over time; rejected traffic per source, destination, or device. The panels also support the concept of filtering based on the vendor account.

Last modified on 19 January, 2022
Start an investigation in Splunk Enterprise Security   Add details to an investigation in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters