Splunk® Enterprise Security

Administer Splunk Enterprise Security

Manage findings included in investigations in Splunk Enterprise Security

You can add or remove findings and finding groups from an investigation to streamline the review process and focus on the root cause.


Add findings to an investigation in Splunk Enterprise Security

Add a finding or finding group to an investigation so that you can review all the information associated with the findings in context and determine the next course of action. You can also assign an investigation to an analyst and collaborate with other analysts to review investigations.

You can add a finding to an investigation using any of the following methods:

Select Add to investigation on the Mission Control page

Follow these steps to add a finding to an investigation in Splunk Enterprise Security:

  1. In Splunk Enterprise Security, go to the Mission Control page.
  2. From the Analyst queue, select the finding or finding group that you want to convert to an investigation.
  3. Select Add to investigation to add the selected findings or finding groups to an investigation.
  4. Determine whether you want to create a new investigation or add the finding or finding group to an existing investigation.
  5. (conditional) if you want to create a new investigation, follow the steps to Create a new investigation
  6. (conditional)if you want to add the finding or finding group to an existing investigation, follow the steps to Add findings to an existing investigation.


Select Add to investigation from the Actions drop-down menu

Follow these steps to add a finding to an investigation in Splunk Enterprise Security:

  1. In Splunk Enterprise Security, go to the Mission Control page.
  2. From the Analyst queue, select the finding or finding group that you want to convert to an investigation.
  3. Go to the three dots in the Actions drop-down menu next to the finding or finding group that you want to add to the investigation.
  4. Select Add to investigation to add the selected findings or finding groups to an investigation.
  5. Determine whether you want to create a new investigation or add the finding or finding group to an existing investigation.
  6. (conditional) if you want to create a new investigation, follow the steps to Create a new investigation
  7. (conditional)if you want to add the finding or finding group to an existing investigation, follow the steps to Add findings to an existing investigation.


Create a new investigation

Follow these steps to add findings or finding groups to a new investigation:

Prerequisite: Access the Add to investigation dialog box in Splunk Enterprise Security.

  1. In the Add to investigation dialog box, select Create new investigation.
  2. In the Name field, enter a name for the investigation.
  3. (conditional) Select the check box to automatically update the values of the owner, status, urgency, sensitivity, and disposition of findings with the values of the investigation.
  4. Assign an owner to the investigation by using the Owner drop-down menu. For example, Splunk administrator or Lily White.
  5. Assign a status to the investigation by using the Status drop-down menu. For example, New or Unassigned.
  6. Assign an urgency to the investigation by using the Urgency drop-down menu. For example, Critical or High.
  7. Assign a sensitivity to the investigation by using the Sensitivity drop-down menu. For example, White, Green, Amber, Red, or Unassigned.
  8. Assign a disposition to the investigation by using the Disposition drop-down menu. For example, True positive -Suspicious activity
  9. In the Description field, enter a description for the investigation.
  10. Select Save.

Add findings to an existing investigation

Follow these steps to add findings and finding groups to an existing investigation:

Prerequisite: Access the Add to investigation dialog box in Splunk Enterprise Security.

  1. In the Add to investigation dialog box, select Add to existing investigation.
  2. Select an investigation from the Investigation drop-down menu or select an investigation from the list of recent investigations.
  3. (conditional) Select the check box to automatically update the values of the owner, status, urgency, sensitivity, and disposition of findings with the values of the investigation.
  4. Select Save.

Remove findings from an investigation

Follow these steps to delete findings and finding groups from an existing investigation:

  1. In Splunk Enterprise Security, go to the Mission Control page.
  2. From the Analyst queue, go to the finding or finding group that you want to remove from an investigation.
  3. Select the finding or finding group to open the finding or finding group in the finding details panel.
  4. Select the View details drop-down menu.
  5. Under Overview, select the three dots next to the finding name.
  6. Select Remove finding from investigation to delete the finding from the investigation.


See also

For more information on findings and investigations, see the product documentation:

Last modified on 30 September, 2024
Findings and finding groups in Splunk Enterprise Security   Review investigation details in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters