Splunk® Enterprise Security

Administer Splunk Enterprise Security

Review investigation details in Splunk Enterprise Security

View all relevant details associated with an investigation so that you can make decisions on your next steps.

Detailed information on the investigation helps to gather situational awareness about the findings or finding groups that are added to the investigation and determine whether it represents a potential security threat. This includes information on relevant findings, events, response plans, automation results, and notes. You can also review information on the involved entities, assets, identities, known threat details using artifacts such as file hashes, executables, IP addresses, and related events. As a finding moves from triage to investigation, capabilities such as case status and dispositions help to maintain the current state of the finding and the investigation.

Follow these steps if you want to view details of an investigation:

  1. In Splunk Enterprise Security, select the investigation that you want to review from the analyst queue in the Mission Control page.
  2. Select View details to open the Overview panel.
  3. in the overview panel for the investigation, view information such as Owner, Status, Urgency, Sensitivity, and Disposition for the investigation.
    You can also view other details such as included findings, detections, adaptive response actions, and next steps associated with the investigation.
    The following table identifies the information details or fields that are available for the investigation:
    Field Description
    Owner The individual who is assigned the investigation
    ID A unique identification number for the investigation. For example, ES-1005. You can search for an investigation in the Mission Control page using the investigation ID. You can also select the ID to copy the link to the investigation's overview page.
    Description Information on the investigation.
    Status Where the investigation falls within the investigation workflow. For example, Unassigned, New (default), In-progress, Pending, Resolved, or Closed.
    Urgency Values assigned to investigations based on the combination of the severity and priority assigned to specific fields in the assets and identities lookups. For example, Unknown, Medium, High, Critical, or Low.
    Sensitivity The sensitivity of the investigation based on the US-CERT traffic light protocol, which is mapped to the following colors: white, amber, green, and red.
    Disposition The threat level associated with the investigation to accurately separate the false positives. For example, Undetermined, True Positive - Suspicious Activity, Benign Positive - Suspicious But Expected, False Positive - Incorrect Analytic Logic, or False Positive - Inaccurate Data.
    Type A category level that connects investigations with specific service level agreements (SLAs) and response plans such as phishing, ransomware, crowdstrike, and so on.
  4. Review all the details associated with the finding.
  5. (Optional) You can also add notes or upload files to the investigation.
    Notes allows you to share your learnings about the investigation with the larger team.

See also

For more information on reviewing and collaborating on investigations, see the product documentation:

Last modified on 30 September, 2024
Manage findings included in investigations in Splunk Enterprise Security   Collaborate on investigations in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters