Review investigation details in Splunk Enterprise Security
View all relevant details associated with an investigation so that you can make decisions on your next steps.
Detailed information on the investigation helps to gather situational awareness about the findings or finding groups that are added to the investigation and determine whether it represents a potential security threat. This includes information on relevant findings, events, response plans, automation results, and notes. You can also review information on the involved entities, assets, identities, known threat details using artifacts such as file hashes, executables, IP addresses, and related events. As a finding moves from triage to investigation, capabilities such as case status and dispositions help to maintain the current state of the finding and the investigation.
Follow these steps if you want to view details of an investigation:
- In Splunk Enterprise Security, select the investigation that you want to review from the analyst queue in the Mission Control page.
- Select View details to open the Overview panel.
- in the overview panel for the investigation, view information such as Owner, Status, Urgency, Sensitivity, and Disposition for the investigation.
You can also view other details such as included findings, detections, adaptive response actions, and next steps associated with the investigation.
The following table identifies the information details or fields that are available for the investigation:Field Description Owner The individual who is assigned the investigation ID A unique identification number for the investigation. For example, ES-1005. You can search for an investigation in the Mission Control page using the investigation ID. You can also select the ID to copy the link to the investigation's overview page. Description Information on the investigation. Status Where the investigation falls within the investigation workflow. For example, Unassigned, New (default), In-progress, Pending, Resolved, or Closed. Urgency Values assigned to investigations based on the combination of the severity and priority assigned to specific fields in the assets and identities lookups. For example, Unknown, Medium, High, Critical, or Low. Sensitivity The sensitivity of the investigation based on the US-CERT traffic light protocol, which is mapped to the following colors: white, amber, green, and red. Disposition The threat level associated with the investigation to accurately separate the false positives. For example, Undetermined, True Positive - Suspicious Activity, Benign Positive - Suspicious But Expected, False Positive - Incorrect Analytic Logic, or False Positive - Inaccurate Data. Type A category level that connects investigations with specific service level agreements (SLAs) and response plans such as phishing, ransomware, crowdstrike, and so on. - Review all the details associated with the finding.
- (Optional) You can also add notes or upload files to the investigation.
Notes allows you to share your learnings about the investigation with the larger team.
See also
For more information on reviewing and collaborating on investigations, see the product documentation:
- Collaborate on investigations in Splunk Enterprise Security
- Configure the status of findings and investigations in Splunk Enterprise Security
- Configure dispositions for findings in Splunk Enterprise Security
- Investigate findings using drill-down searches and dashboards in Splunk Enterprise Security
- Managing access to investigations in Splunk Enterprise Security
| Manage findings included in investigations in Splunk Enterprise Security | Collaborate on investigations in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0
Download manual
Feedback submitted, thanks!