Findings and finding groups in Splunk Enterprise Security
You can add findings and finding groups to an investigation to group relevant alerts together for triage and leverage additional Splunk Enterprise Security functionality to investigate potential security threats. You can also add multiple finding groups to an investigation.
Investigations are cases that are displayed in the analyst queue of the Mission Control page in Splunk Enterprise Security. You can configure Splunk Enterprise Security to automatically create investigations using Splunk SOAR playbooks and response actions.
Investigations are a collaborative process for security personnel such as analysts, SOC managers, automation engineers, security architects and so on to identify, collect, and examine findings or finding groups in Splunk Enterprise Security to detect and triage security threats. All investigations display their contributing events, findings, and finding groups as parts of the whole investigation in the analyst queue of the Mission Control page in Splunk Enterprise Security. Investigations also contain response actions to handle potential threats, including drill-down searches.
Findings are aggregated into finding groups when a finding-based detection is configured to meet a specific criterion. The following table provides some examples of how findings might be grouped together:
Finding group type | Criteria |
---|---|
Entity | When findings are created from the same entity. |
Threat object | When findings are grouped by a common threat object. |
Cumulative entity risk | When findings from an entity exceed a risk threshold during a certain time range. |
Kill Chain | Kill chain phases exceed a threshold on an entity over a time range. |
MITRE ATT&CK | When findings exceed a MITRE ATT&CK threshold for techniques and tactics for an entity over time. |
Similar findings | When findings are related to each other and a custom risk rule groups the findings together. |
You can add a finding or a finding group to multiple investigations. When you create a new investigation, Splunk Enterprise Security adds a reference to the finding in the investigation. The original finding continues to exist, and you can add it to another investigation. You can add findings that are already a part of an investigation to another investigation. If you add a finding or a finding group to an investigation, Splunk Enterprise Security continues to display the finding or the finding group in the Analyst queue on the Mission Control page so that you can add them to multiple investigations. Once you create an investigation, you cannot delete it in Splunk Enterprise Security.
If a finding in the finding group is already part of an investigation, the entire finding group is also a part of the same investigation. This occurs because the reference to the finding, which continues to exist as a finding, is added to the investigation.
You can add a maximum of 100 findings to an investigation. However, Splunk Enterprise Security can add any number of findings or intermediate findings to a finding group.
A contributing event is an event that contributes to the creation of a finding in Splunk Enterprise Security. If a finding group has several contributing events, the consolidated raw data from those contributing events can significantly increase the size of the finding group. To avoid this, only a maximum of 50 events can be aggregated even though the number of findings that can be added to an investigation is 100.
An investigation can be created if an analyst opts to take specific actions on a single finding in the analyst queue of the Mission Control page or the Overview panel. An investigation is either triaged from findings or created by SOAR automation. A single finding can be an investigation.
An event-based detection can generate single findings whereas a finding-based detection generates finding groups. Both findings and finding groups can be triaged into an investigation.
You must create an investigation manually to view the risk event timeline visualization or topology visualization. You can only run automation rules or response plans from an investigation.
See also
For more information on findings and investigations, see the product documentation:
- Create finding groups in Splunk Enterprise Security
- Manage findings included in investigations in Splunk Enterprise Security
- Review investigation details in Splunk Enterprise Security
- Collaborate on investigations in Splunk Enterprise Security
- Managing access to investigations in Splunk Enterprise Security
Create finding groups in Splunk Enterprise Security | Manage findings included in investigations in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!