Manage findings included in investigations in Splunk Enterprise Security
You can add or remove findings and finding groups from an investigation to streamline the review process and focus on the root cause.
Add findings to an investigation in Splunk Enterprise Security
Add a finding or finding group to an investigation so that you can review all the information associated with the findings in context and determine the next course of action. You can also assign an investigation to an analyst and collaborate with other analysts to review investigations.
You can add a finding to an investigation using any of the following methods:
- Select Add to investigation on the Mission Control page
- Select Add to investigation from the Actions drop-down menu
Select Add to investigation on the Mission Control page
Follow these steps to add a finding to an investigation in Splunk Enterprise Security:
- In Splunk Enterprise Security, go to the Mission Control page.
- From the Analyst queue, select the finding or finding group that you want to convert to an investigation.
- Select Add to investigation to add the selected findings or finding groups to an investigation.
- Determine whether you want to create a new investigation or add the finding or finding group to an existing investigation.
- (conditional) if you want to create a new investigation, follow the steps to Create a new investigation
- (conditional)if you want to add the finding or finding group to an existing investigation, follow the steps to Add findings to an existing investigation.
Follow these steps to add a finding to an investigation in Splunk Enterprise Security:
- In Splunk Enterprise Security, go to the Mission Control page.
- From the Analyst queue, select the finding or finding group that you want to convert to an investigation.
- Go to the three dots in the Actions drop-down menu next to the finding or finding group that you want to add to the investigation.
- Select Add to investigation to add the selected findings or finding groups to an investigation.
- Determine whether you want to create a new investigation or add the finding or finding group to an existing investigation.
- (conditional) if you want to create a new investigation, follow the steps to Create a new investigation
- (conditional)if you want to add the finding or finding group to an existing investigation, follow the steps to Add findings to an existing investigation.
Create a new investigation
Follow these steps to add findings or finding groups to a new investigation:
Prerequisite: Access the Add to investigation dialog box in Splunk Enterprise Security.
- In the Add to investigation dialog box, select Create new investigation.
- In the Name field, enter a name for the investigation.
- (conditional) Select the check box to automatically update the values of the owner, status, urgency, sensitivity, and disposition of findings with the values of the investigation.
- Assign an owner to the investigation by using the Owner drop-down menu. For example, Splunk administrator or Lily White.
- Assign a status to the investigation by using the Status drop-down menu. For example, New or Unassigned.
- Assign an urgency to the investigation by using the Urgency drop-down menu. For example, Critical or High.
- Assign a sensitivity to the investigation by using the Sensitivity drop-down menu. For example, White, Green, Amber, Red, or Unassigned.
- Assign a disposition to the investigation by using the Disposition drop-down menu. For example, True positive -Suspicious activity
- In the Description field, enter a description for the investigation.
- Select Save.
Add findings to an existing investigation
Follow these steps to add findings and finding groups to an existing investigation:
Prerequisite: Access the Add to investigation dialog box in Splunk Enterprise Security.
- In the Add to investigation dialog box, select Add to existing investigation.
- Select an investigation from the Investigation drop-down menu or select an investigation from the list of recent investigations.
- (conditional) Select the check box to automatically update the values of the owner, status, urgency, sensitivity, and disposition of findings with the values of the investigation.
- Select Save.
Remove findings from an investigation
Follow these steps to delete findings and finding groups from an existing investigation:
- In Splunk Enterprise Security, go to the Mission Control page.
- From the Analyst queue, go to the finding or finding group that you want to remove from an investigation.
- Select the finding or finding group to open the finding or finding group in the finding details panel.
- Select the View details drop-down menu.
- Under Overview, select the three dots next to the finding name.
- Select Remove finding from investigation to delete the finding from the investigation.
See also
For more information on findings and investigations, see the product documentation:
- Create finding groups in Splunk Enterprise Security
- Merge findings and finding groups into investigations in Splunk Enterprise Security
- Review investigation details in Splunk Enterprise Security
- Collaborate on investigations in Splunk Enterprise Security
- Managing access to investigations in Splunk Enterprise Security
Findings and finding groups in Splunk Enterprise Security | Review investigation details in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!