Splunk® Enterprise Security

Use Splunk Enterprise Security

Start investigations in Splunk Enterprise Security

In Splunk Enterprise Security, an investigation is a structured approach for gathering evidence and responding to a security incident. Each investigation is based on one or more findings related to the security incident.

Investigations appear alongside findings in the analyst queue. You can manually start a new investigation based on a single finding or a group of findings in Splunk Enterprise Security.

You can also automatically create investigations using a playbook in Splunk SOAR. Investigations created from Splunk SOAR playbooks also appear in the analyst queue of Splunk Enterprise Security.

Start an investigation

To start a new investigation, follow these steps:

  1. In Splunk Enterprise Security, select Mission Control.
  2. From the analyst queue, select the name of the finding or finding group that you want to investigate.
  3. From the side panel preview, select Start investigation.

After you start an investigation, you can respond with response plans and automate your response with Splunk SOAR playbooks.

Data associated with an investigation

To view the data associated with an investigation, select the name of the investigation in the analyst queue and then select View details. The following table describes the data found in the Overview tab of the investigation details page:

Investigation data Description
Events Raw data ingested by event-based detections.
Original event The raw event that triggered the alert contributing to the investigation.
Included findings and intermediate findings Findings and intermediate findings that have been added to the investigation.
Drill-down search A predefined search that you can run to gather additional context about the investigation.
Drill-down dashboard A predefined dashboard with more than one drill-down search that you can view to gather additional context about the investigation.
Adaptive response A type of custom alert action that conforms to the common action model. You can trigger adaptive response actions from detections or on an ad hoc basis when examining findings and investigations.
Detection The detection, or the scheduled correlation search or risk rule, that generated the findings added to the investigation.
Custom fields Fields that you can populate on the investigation to store relevant additional information about the investigation or the response.
Additional fields Field-value pairs related to the investigation, such as destination, risk score, severity, and time.
History The progress other analysts have made on the investigation, such as status changes, notes, and automation.
MITRE ATT&CK The MITRE ATT&CK tactics and techniques associated with the investigation.

Edit tags for field-value pairs in an investigation

When you're working on an investigation in Splunk Enterprise Security, you can edit and automatically save changes to the following field values using the drop-down lists in the Info section of the side panel:

  • Owner
  • Status
  • Urgency
  • Sensitivity
  • Disposition

In the Overview tab, you can edit tags for field-value pairs, including custom fields you created. To edit tags for field-value pairs, follow these steps:

  1. In Splunk Enterprise Security, select Mission Control and then select the investigation you want to edit in the analyst queue.
  2. Select View details in the side panel preview of the investigation.
  3. In the Overview tab of the investigation, use the expansion arrows to see field-value pairs in sections such as Additional fields, Events, or MITRE Attack.
  4. Select the down arrow icon ( down arrow icon ) for the field you want to edit.
  5. Select Edit tags.
  6. Make your changes to the tags of the field-value pair.
  7. Select Save.


See also

For more details on starting an investigation in Splunk Enterprise Security, see the product documentation:

Last modified on 29 October, 2024
Triage findings and finding groups in Splunk Enterprise Security   Respond to investigations with response plans in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters