Splunk® Enterprise Security

Use Splunk Enterprise Security

Triage findings and finding groups in Splunk Enterprise Security

Triage findings and finding groups on the Mission Control page in Splunk Enterprise Security by assigning them an owner and modifying the status. Review the list of findings and finding groups in the analyst queue for potential security incidents that require further investigation.

To triage a finding or finding group, follow these steps:

  1. In Splunk Enterprise Security, select Mission Control to find the list of findings and investigations in the analyst queue.
  2. Select the name of a finding or finding group that you want to triage from the analyst queue.
  3. Triage the finding or finding group by configuring your desired fields such as Owner, Status, Urgency, or Disposition.
  4. (Optional) Review the associated risk scores to help you determine if the finding is a potential threat.
  5. (Optional) Open the Detection that generated the finding.
  6. (Optional) Select the Drill-down search to open a predefined search and gather additional context.

    Finding groups show a maximum of only 100 findings and intermediate findings. To see a complete list of all the findings contributing to a finding group, select the DEFAULT_FBD_DRILLDOWN link. Selecting the drill-down search link opens the search page in a new tab.

  7. (Optional) Review Included findings or Related investigations.
  8. (Optional) View Adaptive responses.
  9. (Optional) Add a note.
  10. (Optional) Edit the finding fields by selecting the more icon ( three dots icon ) , then Edit.

See also

For more details on triaging findings and investigations in Splunk Enterprise Security, see the product documentation:

Last modified on 16 December, 2024
Overview of Mission Control in Splunk Enterprise Security   Start investigations in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters