Splunk® Enterprise Security

Administer Splunk Enterprise Security

Specify the display of finding groups in the analyst queue of Splunk Enterprise Security

Customize the display of finding groups in the analyst queue on the Mission Control page by defining the specific fields for finding groups.

Follow these steps to specify the display of finding groups in the analyst queue on the Mission Control page.

  1. In Splunk Enterprise Security, select Security content tab.
  2. Select Content management.
  3. Select Create new content and then select Detections.

    You can also edit an existing detection to adjust its display in the analyst queue.

  4. Select Finding-based detection to open the detection editor.
  5. In the detection editor, go to Analyst queue.
  6. Add the criteria to specify the display of the finding groups in the Analyst queue on the Mission Control page.
    Field Description Required?
    Title Name of the finding group. Yes
    Description Information on the finding group. Yes
    Investigation type Information on the service level agreements and response plans associated with an investigation. Yes
    Security domain Categories to organize access to entities within a specific network or system. For example, access, identity, endpoint, network. Yes
    Severity Value assigned to a finding, which when combined with the priority of an entity helps to generate the urgency of an event. Yes
    Default owner Owner of the finding group. No
    Default status Status of the finding group. For example, New, In progress, Closed. Yes
    Drill-down searches Drill-down searches that provide additional context to the finding group. No
    Drill-down dashboards Drill-down dashboards that provide additional context to finding groups by allowing visibility to multiple drill-down searches. No
    Identity extraction Collect and update your identity data automatically to improve data integrity and reduce the overhead and maintenance of manual updates.
    Asset extraction Collect and update your asset data automatically to improve data integrity and reduce the overhead and maintenance of manual updates. No
    File extraction Enter a field name to extract data from a file. No
    URL extraction Enter a field name to extract data from an URL. No
    Next steps Enter the next steps from the drop-down to address the threat. No
    Recommended actions Specify the adaptive response action to take from a list of adaptive response actions. No
  7. Add annotations to enrich the detection search results using the standard cybersecurity frameworks.
  8. Specify the time range to run the finding-based detection.
  9. Specify the adaptive response action for the finding-based detection.

Add a clickable URL as a next step to address a threat

Specify a URL in the Next steps field in the Analyst queue section of the detection editor. Adding next steps helps to incorporate additional information in the detection to provide context and build custom workflows during an investigation.

Follow these steps to add a URL as a next step:

  1. In Splunk Enterprise Security, select Security content tab.
  2. Select Content management.
  3. Select Create new content and then select Detections.
  4. Select Finding-based detection to open the detection editor.
  5. In the detection editor, go to Analyst queue.
  6. Go to Next Steps.
  7. From the Insert action dropdown menu, select URL.
  8. In the Add URL dialog box, enter the Display Name. For example: teamdoc
  9. Enter the URL, which can point to a wiki page, runbook, a Splunk dashboard or a third-party website. For example: https://linkname.com

    The URL that you specify does not trigger any adaptive response action but you can still select the text. If you select it, the URL points to additional information.

  10. Select Save.

See also

For more information on how to use and configure detections in Splunk Enterprise Security, see the product documentation:

Last modified on 28 October, 2024
Finding-based detections available in Splunk Enterprise Security   Add annotations to detections in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters