Splunk® Enterprise Security

Administer Splunk Enterprise Security

Change the status of a finding or an investigation in Splunk Enterprise Security

Change the status of a finding or an investigation during the triage process to move a finding or an investigation through the investigation workflow. The owner of the finding or an investigation can update the status to reflect the actions they take to address the event. New findings or investigations have the New status.

If your Splunk Enterprise Security administrator customized the Mission Control page, you might need to enter notes when updating a finding or an investigation.

If you can't immediately see your changes, check the filters. For example, if the filter is set to "New" after you changed an event to "In Progress", you won't be able to see your updated finding or investigation.

Follow these steps to change the status of a finding or an investigation:

  1. In Splunk Enterprise Security, select the finding or the investigation that you want to review from the analyst queue in the Mission Control page to open the details for the finding or the investigation.
  2. In the details page for the finding or investigation, go to the Status drop-down menu.
  3. Select a status from the list of available options.
    You can select from the following finding or investigation statuses.
    Status Description
    Unassigned Used by Splunk Enterprise Security when an error prevents the finding or investigation from having a valid status assignment.
    New Default status. The finding or investigation has not been reviewed.
    In progress An owner is working on the finding or investigation.
    Pending The assignee must take an action.
    Resolved The owner has addressed the cause of the finding or investigation and is waiting for verification.
    Closed The resolution of the finding or investigation has been verified.
  4. (Optional) In the Notes field, add a title and description to describe the actions you took.
  5. Select Save to save your changes.

After you change the status of a finding group to Closed or Resolved , Splunk Enterprise Security can still detect new intermediate findings or findings and add them to that finding group. If new intermediate findings or findings are added to a finding group within the maximum append time range, the finding group reopens with a New status for analysts to investigate again. In such cases, Splunk Enterprise Security adds an auto-generated note to the finding group stating that it has been reopened because new information was detected.

See also

For more information on how to manage statuses for findings and investigations in Splunk Enterprise Security, see the product documentation:

Last modified on 23 October, 2024
Configure the urgency for findings in Splunk Enterprise Security   Display annotations for findings and investigations in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters