Splunk® Enterprise Security

Administer Splunk Enterprise Security

Configure the settings for the analyst queue in Splunk Enterprise Security

Configure settings to modify analyst capabilities and permissions to customize the display of findings and investigations in the Analyst queue of the Mission Control page in Splunk Enterprise Security. You can override and replace the calculated urgency of a finding or an investigation. You can also set up a time range to ensure specific findings or investigations are displayed in the Analyst queue. Additionally, you can turn on auto-refresh to update the list of findings and investigations automatically in the Analyst queue.

Override and replace the calculated urgency of a finding or investigation

Follow these steps to configure whether analysts can override the calculated urgency of a finding or an investigation:

  1. In the Splunk Enterprise Security app, select Configure.
  2. Select Findings and investigations and then select Analyst queue settings in the left panel.
  3. In the Analyst queue settings dialog, turn off the button to override and replace the calculated urgency of findings and investigations. When this button is turned on the urgency level is displayed for findings and investigations in the Analyst queue.

    Analysts are allowed to override urgency by default.

Add a default time range for findings and investigations

Add a default time range to restrict the display of findings and investigations in the Analyst queue occurring within that time window. Adding a default time range helps to keep the number of findings and investigations in the Analyst queue to a manageable level.

Follow these steps to add a default time range for displaying findings and investigations:

  1. In the Splunk Enterprise Security app, select Configure.
  2. Select Findings and investigations and then select Analyst queue settings in the left panel.
  3. In the Analyst queue settings dialog, go to Analyst queue: Default time range.
  4. Enter an Earliest time and Latest time to specify the time window.


Turn on auto-refresh to update findings and investigations

Configure a specific frequency to refresh findings and investigations on the Mission Control page so that they get automatically updated and new findings can be addressed in a timely manner.

Follow these steps to configure a specific frequency to auto-refresh findings and investigations:

  1. In the Splunk Enterprise Security app, select Configure.
  2. Select Findings and investigations and then select Analyst queue settings in the left panel.
  3. In the Analyst queue settings dialog, go to Analyst queue: Auto-refresh.
  4. Turn on the Auto refresh button to display the auto refresh option on the Mission Control page.
  5. Select the default state whether you want auto-refresh to be tuned off by default or not.
  6. Select a default time to auto-refresh findings from the Time interval drop down. You can select any of the following options: 30 seconds, 1 minute, 2 minutes, or 5 minutes.

After auto-refresh is configured in the Analyst queue settings, you still have the option to turn it on or off when you select Auto refresh on or Auto refresh off from the Mission Control page.

See also

For more information on calculating urgency and adding notes in Splunk Enterprise Security, see the product documentation:

Last modified on 13 November, 2024
Manage analyst workflows using the analyst queue in Splunk Enterprise Security   Sort and filter findings and investigations for triage in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters