Create investigation types in Splunk Enterprise Security
Create investigation types to associate investigations with custom fields and response plans such as phishing, ransomware, Crowdstrike, and so on.
Follow these steps to create investigation types and associate them with response plans or custom fields in Splunk Enterprise Security:
- In Splunk Enterprise Security, go to the Configure tab.
- Select Findings and investigations and then select Investigation types.
- In the Investigation types page, select +Investigation type to create a new investigation type. You can also select a default investigation type from the available list. For example, you can create or select an incident type with the name "Phishing".
- Enter a name for the investigation type. For example, ransomware
You can't rename investigation types after you create them. You must create another investigation type instead.
- Enter a description for the investigation type.
- Select Next.
- Select Save.
- (Optional)Edit an investigation type that you've already created by selecting the investigation type from the Investigation types table. You can assign response plans and custom fields to the investigation type, or remove response plans and custom fields from it. You can also create new response plans and new custom fields based on your requirements.
See also
For more information on using macros and custom fields for investigations, see the product documentation:
Managing access to investigations in Splunk Enterprise Security | Add custom fields to add to investigation types in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!