Add events to an investigation in Splunk Enterprise Security
An event is a single piece of data in Splunk software similar to a record in a log file or other data input. When data is indexed, it is divided into individual events. Each event is given a timestamp, host, source, and source type. In Splunk Enterprise Security, an event can be raw data associated with a finding or investigation, or it can represent activity that contributes to the creation of a finding or investigation. You can add events to an investigation through a search macro or automation and then track the related raw data.
All of the events added to an investigation are in the Events tab. You can expand each event to see all of the fields related to that event. For some fields, you can choose field actions by selecting the expand icon ( ) in the Action column of the events table.
You can add an event to an investigation using a search macro. Adding an event to an investigation saves the event with the investigation itself and helps other users, such as auditors or managers, extract critical data related to the investigation. Adding events to an investigation can also provide justification for the remediation of that investigation.
If you create, update, or delete events from playbooks in Splunk SOAR (Cloud), your changes automatically reflect in the Events tab of your investigation in Splunk Enterprise Security.
Add events using the add_events search macro
Use the add_events
macro to add multiple events to an investigation in Splunk Enterprise Security. Add the macro to the end of a search.
You can run a search to add particular events to an investigation. For example, to add events with a source IP of 192.168.1.8
from your chosen index, use the following search:
index=<index_name> | search src="192.168.1.8" | `add_events(investigation_id)`
To add events to an investigation using the add_events macro, you must run a search that produces Events
results. To ensure that your search produces Events results, do the following:
- Include an event-generating command, such as
search
, in your search. You can add transforming commands, such asstats
, in addition to an event-generating command, but the SPL that follows the transforming command isn't included in the SPL added to the investigation.Some commands, such as
For more information on search command types and to see which ones generate events, see Generating commands in the Splunk Enterprise Search Reference manual.makeresults
, synthesize results without actually producing Events results. You can't use these commands to add events to an investigation. - Run the search in Verbose mode. Searches run in Smart mode or Fast mode don't produce Events results and don't add any events to an incident.
If you choose to use the full syntax for add_events
instead of the macro, ensure to use the following syntax.
| sendalert add_events param.investigation_id=<investigation_id>
Following the previous example of using the add_events macro, to add events with a source IP of 192.168.1.8 from your chosen index, use the following search.
index=<index_name> | search src="192.168.1.8" | sendalert add_events param.investigation_id=<investigation_id>
After you add events to an investigation using the add_events macro, you can find them on the Events tab of your investigation. Adding events to an investigation in Splunk Enterprise Security also adds the events in Splunk SOAR (Cloud). In Splunk SOAR (Cloud), you can find the newly added events on the Investigation page and continue to investigate them there. See Manage the status, severity, and resolution of events in Splunk SOAR (Cloud) in the Use Splunk SOAR (Cloud) manual.
If you run a search that produces events with missing indexer location values, you can still add the events to an investigation. For example, events produced using a transaction command don't have _cd
or _bkt
values. If you add these events to an investigation, Splunk Enterprise Security automatically adds them to the index associated with the investigation.
Open a search to find an event
Sometimes, when an investigation has a long list of events, it's difficult to search for a particular event. To find a particular event for your investigation, you can open the search used to generate the investigation's events in the Events tab of Splunk Enterprise Security. Then, you can edit the search to filter for particular events.
To open a search to find an event, complete the following steps:
- Select Mission Control in Splunk Enterprise Security.
- Select an investigation from the Analyst queue and then select View details.
- Select the Events tab.
- Select Open events in search.
- Edit the Splunk Search Processing Language (SPL) to reduce the list of events and find the event you're looking for. For example, if you want to find an event with a particular time stamp, such as
time="2022-11-02T19:48:24Z"
, you can edit the SPL to include that time by adding it to the search.
After you open a search from the Events tab, you can also use the Search tab to start a new search or add events to other investigations.
Respond to investigations with response plans in Splunk Enterprise Security | Automate your investigation response with actions and playbooks in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!