Manage saved views to display findings and investigations in Splunk Enterprise Security
Create and manage saved views of filtered findings and investigations to accelerate the triage process during an investigation workflow. Saving specific views of filters and columns on the Mission Control page lets you view the values of the relevant fields for specific investigations and triage them appropriately.
As an analyst, you can configure saved views based on the specific findings that you want to see. Managing saved views, sharing saved views, and switching between saved views helps to share responsibilities and triage findings and investigations faster. For example, a cyber operations manager can create default saved views for various SOC teams in Splunk Enterprise Security. Saving specific default views provides a starting point for analysts to triage findings and investigations and can help them identify what to look for when they have not defined their own customized saved views.
Create saved views
Reuse the groups of filtered findings during an investigation by saving views. You can reuse saved views or make edits to existing views based on specific fields. Additionally, you can also save a view as a default.
- In Splunk Enterprise Security, select the Mission Control page.
- Filter the analyst queue by your desired fields. For example, you can select the Urgency column and then select Critical.
- Customize the table settings by selecting the settings icon and then selecting Apply. The table settings are stored in the saved view based on the selected fields and the order in which they are displayed on the Mission Control page.
- Select Save.
- In the Save view dialog box, go to View configuration and verify the fields that you want to use to group the findings.
For example, Urgency: Critical. - In View Name, enter a name for the view.
- (Optional) Check Save as default if you want to add it as the default view.
- (Optional) Select Share with all Enterprise Security users to share the view with other users.
You can also see all existing views by selecting Existing in the Save view dialog box. - Verify that the view is in the Saved Views drop-down menu on the Mission Control page.
Edit access to saved views
As a Splunk Enterprise Security administrator, you can manage access to saved views for users and analysts. By changing access controls for users and analysts, you can control how different users interact with findings and investigations in the analyst queue on the Mission Control page.
You must have the edit_filter_sets
capability to create, edit, and see saved views. By default, this capability is turned on for the ess_analyst role and turned off for the ess_user role.
Follow these steps to edit access controls for saved views:
- In Splunk Enterprise Security, select Configure then All configurations and then Roles and capabilities.
- Select or deselect the check boxes for Edit saved views to add or remove the
edit_filter_sets
capability to the appropriate roles. - Select Save.
If you edit capabilities, the changes might take a few minutes to take effect.
Saved views can be either public or private. Public saved views are viewable to any user with the edit_filter_sets
capability, while private saved views are viewable only to the person who created the saved view. Even administrators don't have access to a private saved view created by another user.
Any user with the edit_filter_sets
capability can do the following:
- Create a public or private saved view
- View, edit, delete, and share all public saved views
- View, edit, delete, and share a private saved view, but only if they created that saved view
- Set a public saved view to the default view
- Set a private saved view to their default view, but only if they created that saved view
Manage saved views
As an administrator or an analyst, you can edit, delete, and switch between saved views to make the triage process easier during an investigation. Delete a saved view if the view is no longer useful and you don't plan to use the view or share it with other analysts.
Follow these steps to manage saved views:
- In Splunk Enterprise Security, select the Mission Control page.
- Select the Saved Views drop-down menu.
- Select the saved view that you want to apply to the Mission Control page in Splunk Enterprise Security. You can switch between different saved views.
- To edit or delete a saved view, select Manage Saved Views and identify the saved view that you want to edit or delete.
- To edit a saved view, select the pencil icon next to the saved view you want to edit, and then select Save to apply your changes.
- To delete a saved view, select the trash icon to delete a saved view.
- Select Close.
Select an administrator specified view to view findings and investigations
As a Splunk Enterprise Security administrator, you can save a specific view for analysts and identify that saved view as their default view. This administrator selected view is in addition to a default saved view, which is a global view and is universal for all analysts. The administrator selected view can also be shared between multiple analysts.
Follow these steps to select the administrator specified view:
- In the Splunk Enterprise Security app, go to the Mission Control page.
- Go to Saved Views and select the Admin Selected Saved View.
Share saved views with analysts to improve investigation workflows and customize the display of findings on the Mission Control page. Switching contexts between shared saved views lets you select between views and filter findings easily based on their relevance to the analyst. Such tasks can vary between general alert triage, phishing response, fraud detection, anomalous user behavior detection, or threat detection.
Follow these steps to share a saved view, or un-share a saved view that was previously available to all users.
- In Splunk Enterprise Security, go to the Mission Control page.
- On the Mission Control page, select the Saved Views drop-down menu and then select Manage Saved Views.
- Select the pencil icon for the saved view that you want to edit.
This opens the Edit view dialog box for the selected view. - Select or de-select the check box for Share with all Enterprise Security users.
You might see a warning that removing the sharing option moves users to the global default view selected by the administrator.
- Select Save.
See also
For more information on analyst workflows and assigning capabilities to a role in Splunk Enterprise Security, see the product documentation:
- Manage analyst workflows using the analyst queue in Splunk Enterprise Security
- Configure the settings for the analyst queue in Splunk Enterprise Security
- Configure users and roles in Splunk Enterprise Security in Install and Upgrade Splunk Enterprise Security manual
Sort and filter findings and investigations for triage in Splunk Enterprise Security | Customize table settings for the analyst queue in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!