Configure the status of findings and investigations in Splunk Enterprise Security
Configure the status such as Resolved, Closed, New of findings and investigations to make it easier to understand where they fall within the investigation workflow. You can assign a status to a finding in the investigation workflow using the Analyst queue in the Mission Control page. The status aligns with the stages of an investigation and can be used to review and report on the progress of a finding or an investigation on the Audit dashboard.
Manage the status labels of findings and investigations
Manage the possible status values that can be assigned to findings and investigations by defining them in the configuration settings.
Follow these steps to manage the possible values that can be assigned as a status to findings and investigations:
- In Splunk Enterprise Security, select the Configure tab.
- Select Findings and investigations and then select Statuses from the left panel to view a list of available statuses for findings.
The following table identifies the available status option labels for findings and investigations in Splunk Enterprise Security.
Label Description Can be edited Unassigned The finding doesn't have a valid status assignment. No New (default) The finding is not yet reviewed. No In-progress A response to the finding or investigation is in progress. Yes Pending Closure of the finding or investigation is pending some action. Yes Resolved The finding is resolved and awaits verification. Yes Closed The finding is resolved and verified. Yes Every finding or investigation is assigned a status of '''New''' by default when it is created by a detection. You cannot edit the Unassigned and New statuses because they are defaults used when creating findings or investigations.
- Select Turn off to turn off a specific status label. For example, you might want to turn off the Resolved status label because you want to identify the completed findings and investigations only with the status label of Closed.
Manage the status history of findings and investigations
Findings and investigations are associated with users, statuses, and notes. Changes made to status labels only impact the name of a status, not the status ID assigned to the finding in the notable index.
If you change the label of the default status of a finding or an investigation, the label changes for both past and future findings and investigations. For example, if you rename the label "pending" to "waiting for customer", all findings and investigations with a status of "pending" get a status of "waiting for customer". The status ID assigned to the finding or investigation remains the same.
Create a new status label for findings and investigations
Create a new status label for findings and investigations. You can customize the status label of a finding or an investigation to match an existing workflow at your organization.
Prerequisites
If you restrict status transitions, determine where the new status label is needed in the workflow and whether any roles can bypass the new status label in the workflow.
Follow these steps to create a new status label for your organization:
- In Splunk Enterprise Security, select the Configure tab.
- Select Findings and investigations and then select Statuses from the left panel to view a list of available statuses for findings.
- Select +Status to create a new status label to match your organization's workflow. For example, you might want to create a new status label called TBD or To be decided because you want some more time to decide whether certain findings or investigations need further investigation.
- Enter a Label that represents the status on the Analyst queue in the Mission Control page.
For example, Waiting on ITOps. - (Optional) Enter a description.
For example, Waiting on the IT operations department. - Select the Status type such as Finding or Investigation based on whether you want to create the new status label for a finding or an investigation.
- (Optional) Select the check box for Default status if you want to replace the New status as the default status for newly-created findings and investigations.
- (Optional) Select the check box for End Status if you are adding an additional Closed status for findings and investigations, such as False Positive.
- Select Save.
Status transitions for findings and investigations
Statuses represent the steps in investigating a finding or an investigation. Status transitions define the path of an investigation workflow.
As an analyst, you can change the status of the finding or an investigation as the investigation progresses. To change the status of a finding or an investigation, you must meet the following criteria:
- Be a member of a role that has permission to change a status. The ability to change statuses for findings and investigations is available to the ess_analyst and ess_admin roles by default.
if you inherit the ess_analyst' and ess_admin roles, you cannot change the status of findings or investigations. Only non-inherited roles for ess_analyst and ess_admin can change the status of findings and investigations.
- The follow-on status must allow a transition from the current status.
Restrict status transitions for findings and investigations
You can define a status workflow and limit which statuses analysts can transition to other statuses, which creates a path for an investigation. By default, Splunk Enterprise Security user roles such as ess_analyst
have the ability to change the status of findings and investigations to any of the following five options:
- New
- In progress
- Pending
- Resolved
- Unassigned
Status transitions from Unassigned to other default statuses is possible. However, status transitions from other default statuses to Unassigned is not possible.
As a Splunk Enterprise Security administrator, you can restrict the ability of certain users to transition between statuses so that you have more control over managing the operations of your security operations center (SOC).
Prerequisite
- You must have the ess_admin role or your role must be assigned the Edit Statuses capability.
- Define a status workflow to review findings and investigations. Determine which statuses to require, and whether analysts must follow a specific sequence of statuses before completing the investigation workflow. Determine whether any roles can bypass the full workflow.
Follow these steps to restrict status transitions for findings and investigations:
- In Splunk Enterprise Security, select the Configure tab.
- Select Findings and investigations and then select Statuses from the left panel to view a list of available statuses for findings.
- Select +Status to create a new status label to match your organization's workflow. For example, you might want to create a new status label called TBD or To be decided because you want some more time to decide whether certain findings or investigations need further investigation.
- Scroll to Transitions and select the roles that you want to authorize for transitioning from one status to another status. For example, you can select a can_delete role that has the ability to delete a finding or an investigation.
Transitions that are imported from an inherited role can be removed by turning off the transition for the role that is being inherited. If you restrict status transitions based on user roles, modify the status transitions for each status that can transition to this new status.
- Select Save.
Example of status transitions for findings and investigations
Here are some examples to help you restrict status transitions for analysts.
Example 1
Follow these steps if you want to restrict status transitions so that analysts can follow a path from New, to In Progress or Pending, to Resolved, then to Closed.
- In Splunk Enterprise Security, select the Configure tab.
- Select Findings and investigations and then select Statuses from the left panel to view a list of available statuses for findings.
- Select +Status and go to Status transitions.
- Select the roles for the Resolved status and deselect the check box for the ess_analyst role.
- Select the roles for the Closed status and deselect the check box for the ess_analyst role.
- Select Save to save the changes to the New status.
- Restrict the transitions on the In Progress and Pending statuses to prevent the ess_analyst role from transitioning to New or to Closed.
- Select the In Progress status.
- In Status transitions, select the roles for the New status and deselect the check box for the ess_analyst role. Repeat for the Closed status.
- Select Save to save the changes to the In Progress status.
- Repeat the steps for the Pending status.
- Restrict the Resolved status. Select the Investigation tab and select the Resolved status.
- In Status transitions, select the roles for the New status and deselect the check box for the ess_analyst role. Repeat for the In Progress and Pending statuses.
- Select Save to save the changes to the Resolved status.
- Restrict the transitions for the Closed status. Select the Closed status.
- In Status transitions, select the roles for the New status and deselect the check box for the ess_analyst role. Repeat for the In Progress, Pending, and Resolved statuses.
- Select Save to save the changes for the Closed status.
Example 2
Follow these steps to allow the ess_analyst
role to transition from New to In Progress or New to Pending status, but does not allow the ess_analyst
role to transition from New to Resolved or Closed. As an administrator, therefore, you have control over how findings or investigations are resolved or closed in your SOC.
- In Splunk Enterprise Security, select the Configure tab.
- Select Findings and investigations and then select Statuses from the left panel to view a list of available statuses for findings.
- Select +Status and go to Status transitions.
- Using the status drop down, select the user roles that can transition from the New status to the other statuses that are provided as options.
For example: If you do not want to allow the user roleess_analyst
to transition a finding that has a New status to a Resolved or Closed status, you can remove theess_analyst
role from the Resolved and the Closed field options. - Select Save.
See also
For more information on how to manage statuses for findings and investigations in Splunk Enterprise Security, see the product documentation:
- Configure users and roles in the Splunk Enterprise Security Installation and Upgrade Manual.
- Manage analyst workflows using the analyst queue in Splunk Enterprise Security
- Change the status of a finding or an investigation
Modify the fields for findings in Splunk Enterprise Security | Configure dispositions for findings in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0
Feedback submitted, thanks!