Start investigations in Splunk Enterprise Security

In Splunk Enterprise Security, an investigation is a structured approach for gathering evidence and responding to a security incident. Each investigation is based on one or more findings related to the security incident.

Investigations appear alongside findings in the analyst queue. You can manually start a new investigation based on a single finding or a group of findings in Splunk Enterprise Security.

You can also automatically create investigations using a playbook in Splunk SOAR. Investigations created from Splunk SOAR playbooks also appear in the analyst queue of Splunk Enterprise Security.

Start an investigation

To start a new investigation, follow these steps:

In Splunk Enterprise Security, select Mission Control.
From the analyst queue, select the name of the finding or finding group that you want to investigate.
From the side panel preview, select Start investigation.

After you start an investigation, you can respond with response plans and automate your response with Splunk SOAR playbooks.

Data associated with an investigation

To view the data associated with an investigation, select the name of the investigation in the analyst queue and then select View details. The following table describes the data found in the Overview tab of the investigation details page:

Investigation data	Description
Events	Raw data ingested by event-based detections.
Original event	The raw event that triggered the alert contributing to the investigation.
Included findings and intermediate findings	Findings and intermediate findings that have been added to the investigation.
Drill-down search	A predefined search that you can run to gather additional context about the investigation.
Drill-down dashboard	A predefined dashboard with more than one drill-down search that you can view to gather additional context about the investigation.
Adaptive response	A type of custom alert action that conforms to the common action model. You can trigger adaptive response actions from detections or on an ad hoc basis when examining findings and investigations.
Detection	The detection, or the scheduled correlation search or risk rule, that generated the findings added to the investigation.
Custom fields	Fields that you can populate on the investigation to store relevant additional information about the investigation or the response.
Additional fields	Field-value pairs related to the investigation, such as destination, risk score, severity, and time.
History	The progress other analysts have made on the investigation, such as status changes, notes, and automation.
MITRE ATT&CK	The MITRE ATT&CK tactics and techniques associated with the investigation.

Edit tags for field-value pairs in an investigation

When you're working on an investigation in Splunk Enterprise Security, you can edit and automatically save changes to the following field values using the drop-down lists in the Info section of the side panel:

Owner
Status
Urgency
Sensitivity
Disposition

In the Overview tab, you can edit tags for field-value pairs, including custom fields you created. To edit tags for field-value pairs, follow these steps:

In Splunk Enterprise Security, select Mission Control and then select the investigation you want to edit in the analyst queue.
Select View details in the side panel preview of the investigation.
In the Overview tab of the investigation, use the expansion arrows to see field-value pairs in sections such as Additional fields, Events, or MITRE Attack.
Select the down arrow icon ( ) for the field you want to edit.
Select Edit tags.
Make your changes to the tags of the field-value pair.
Select Save.

Start investigations in Splunk Enterprise Security

Start an investigation

Data associated with an investigation

Edit tags for field-value pairs in an investigation

See also

Comments

Start investigations in Splunk Enterprise Security

Was this topic useful?