Splunk® Enterprise Security

Administer Splunk Enterprise Security

Create investigation types in Splunk Enterprise Security

Create investigation types to associate investigations with custom fields and response plans such as phishing, ransomware, Crowdstrike, and so on.

Follow these steps to create investigation types and associate them with response plans or custom fields in Splunk Enterprise Security:

  1. In Splunk Enterprise Security, go to the Configure tab.
  2. Select Findings and investigations and then select Investigation types.
  3. In the Investigation types page, select +Investigation type to create a new investigation type. You can also select a default investigation type from the available list. For example, you can create or select an incident type with the name "Phishing".
  4. Enter a name for the investigation type. For example, ransomware

    You can't rename investigation types after you create them. You must create another investigation type instead.

  5. Enter a description for the investigation type.
  6. Select Next.
  7. Select Save.
  8. (Optional)Edit an investigation type that you've already created by selecting the investigation type from the Investigation types table. You can assign response plans and custom fields to the investigation type, or remove response plans and custom fields from it. You can also create new response plans and new custom fields based on your requirements.

See also

For more information on using macros and custom fields for investigations, see the product documentation:

Last modified on 30 September, 2024
Managing access to investigations in Splunk Enterprise Security   Add custom fields to add to investigation types in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters