Sort and filter findings and investigations for triage in Splunk Enterprise Security

Sort and filter findings and investigations in the Analyst queue on the Mission Control page to identify and group specific findings and investigations together and accelerate the triage process.

Sorting and filtering findings and investigations lets you drill down on specific and detailed information and helps to categorize, track, and assign findings to analysts based on specific criteria to identify potential threats faster.

For example, the ability to filter findings and investigations using the Status field removes the need to review unrelated statuses and prevents statuses from being duplicated. You can select In-progress status from the available statuses such as Unassigned, New, In-progress, Resolved, or Closed to display only the findings or investigations that are currently in progress.

Alternatively, you can enter a specific filter criterion and add it to the list of filter options. For example, you can add the ID, labels, and corresponding fields in the Analyst queue settings to filter findings and investigations.

The following screenshot shows some of the sort and filter options for findings and investigations in the Analyst queue.

Sort the findings and investigations

Follow these steps to sort the findings and investigations in Splunk Enterprise Security:

1. In the Splunk Enterprise Security app, go to the Mission Control page.
2. In the Analyst queue, select the down arrow next to the field column heading of the finding or investigation.
3. Select A to Z or Z to A to sort the column in ascending or descending order on the Analyst queue.

Filter the findings and investigations

Follow these steps to filter the findings and investigations in Splunk Enterprise Security:

1. In the Splunk Enterprise Security app, go to the Mission Control page.
2. In the Analyst queue, select the down arrow next to a specific field column such as Status of the finding or investigation.
3. Select In-progress or New to filter the findings or investigations that are either in progress or are newly created in the Analyst queue.

See also

For more information on the analyst workflow in Splunk Enterprise Security, see the product documentation:

• Manage analyst workflows using the analyst queue in Splunk Enterprise Security
• Overview of Mission Control in Splunk Enterprise Security in the Use Splunk Enterprise Security manual.
• Triage findings and investigations in Splunk Enterprise Security in the Use Splunk Enterprise Security manual.