Splunk® Enterprise Security

Administer Splunk Enterprise Security

Managing access to investigations in Splunk Enterprise Security

As a Splunk Enterprise Security administrator, you can control the access of security analysts to investigations to help them focus only on the specific investigations under their review. You can also support analysts by troubleshooting problems with their action history. You can also assign analysts to specific investigations.

Different roles have different levels of access when working with investigations. Users with the ess_admin role can create, view, and manage investigations by default. Users with the ess_analyst role can create and edit investigations. However, as a Splunk Enterprise Security administrator, you can make changes to the roles and capabilities assigned to the analysts.

  • To allow other users to create or edit an investigation, add the Manage Your Investigations capability to their role. Users can only make changes on investigations on which they are a collaborator.
  • To allow other users to manage, view, and delete all investigations, add the Manage All Investigations capability to their role.

You can manage who can make changes to an investigation by setting "write" permissions for collaborators on a specific investigation. By default, all collaborators have write permissions for the investigations to which they are added, but other collaborators on the timeline can change those permissions to read-only.

After a user creates an investigation, any user with the Manage All Investigations capability can view the investigation, but only the collaborators on the investigation can edit the investigation.

You cannot view the investigation KV Store collections as lookups. Only users with the admin role can view or modify the KV store collections using the KV Store API endpoint.

Assign an investigation to an owner

Assign an investigation to an owner to delegate the work of reviewing and identifying security threats and enforcing traceability of the investigative workflow.

Follow these steps to assign owners to investigations in Splunk Enterprise Security:

  1. In Splunk Enterprise Security, select the investigation to which you want to assign an owner from the analyst queue in the Mission Control page.
  2. Select View details to open the Overview panel.
  3. You can assign the owner using the Owner drop-down menu in the side panel of the investigation.
  4. Select Save.

Assign yourself to an investigation

Assign an investigation to yourself so that you can review the findings and other information associated with the investigation, collaborate with other analysts, and determine a resolution for the investigation. Assigning an investigation helps to divide the workload and informs other analysts that you are working on the investigation.

Follow these steps to assign yourself to an investigation:

  1. In Splunk Enterprise Security, select the Mission Control page.
  2. From the Analyst queue, identify the investigation that you want to assign to yourself.
  3. From the Actions drop-down menu, select Assign to me to assign yourself to the investigation.

See also

For more information on investigations and user roles in Splunk Enterprise Security, see the product documentation:

Last modified on 30 September, 2024
Collaborate on investigations in Splunk Enterprise Security   Create investigation types in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters