Specify the display of finding groups in the analyst queue of Splunk Enterprise Security
Customize the display of finding groups in the analyst queue on the Mission Control page by defining the specific fields for finding groups.
Follow these steps to specify the display of finding groups in the analyst queue on the Mission Control page.
- In Splunk Enterprise Security, select Security content tab.
- Select Content management.
- Select Create new content and then select Detections.
You can also edit an existing detection to adjust its display in the analyst queue.
- Select Finding-based detection to open the detection editor.
- In the detection editor, go to Analyst queue.
- Add the criteria to specify the display of the finding groups in the Analyst queue on the Mission Control page.
Field Description Required? Title Name of the finding group. Yes Description Information on the finding group. Yes Investigation type Information on the service level agreements and response plans associated with an investigation. Yes Security domain Categories to organize access to entities within a specific network or system. For example, access, identity, endpoint, network. Yes Severity Value assigned to a finding, which when combined with the priority of an entity helps to generate the urgency of an event. Yes Default owner Owner of the finding group. No Default status Status of the finding group. For example, New, In progress, Closed. Yes Drill-down searches Drill-down searches that provide additional context to the finding group. No Drill-down dashboards Drill-down dashboards that provide additional context to finding groups by allowing visibility to multiple drill-down searches. No Identity extraction Collect and update your identity data automatically to improve data integrity and reduce the overhead and maintenance of manual updates. Asset extraction Collect and update your asset data automatically to improve data integrity and reduce the overhead and maintenance of manual updates. No File extraction Enter a field name to extract data from a file. No URL extraction Enter a field name to extract data from an URL. No Next steps Enter the next steps from the drop-down to address the threat. No Recommended actions Specify the adaptive response action to take from a list of adaptive response actions. No - Add annotations to enrich the detection search results using the standard cybersecurity frameworks.
- Specify the time range to run the finding-based detection.
- Specify the adaptive response action for the finding-based detection.
Add a clickable URL as a next step to address a threat
Specify a URL in the Next steps field in the Analyst queue section of the detection editor. Adding next steps helps to incorporate additional information in the detection to provide context and build custom workflows during an investigation.
Follow these steps to add a URL as a next step:
- In Splunk Enterprise Security, select Security content tab.
- Select Content management.
- Select Create new content and then select Detections.
- Select Finding-based detection to open the detection editor.
- In the detection editor, go to Analyst queue.
- Go to Next Steps.
- From the Insert action dropdown menu, select URL.
- In the Add URL dialog box, enter the Display Name. For example: teamdoc
- Enter the URL, which can point to a wiki page, runbook, a Splunk dashboard or a third-party website.
For example:
https://linkname.com
The URL that you specify does not trigger any adaptive response action but you can still select the text. If you select it, the URL points to additional information.
- Select Save.
See also
For more information on how to use and configure detections in Splunk Enterprise Security, see the product documentation:
Finding-based detections available in Splunk Enterprise Security | Add annotations to detections in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!