Start investigations in Splunk Enterprise Security
In Splunk Enterprise Security, an investigation is a structured approach for gathering evidence and responding to a security incident. Each investigation is based on one or more findings related to the security incident.
Investigations appear alongside findings in the analyst queue. You can manually start a new investigation based on a single finding or a group of findings in Splunk Enterprise Security.
You can also automatically create investigations using a playbook in Splunk SOAR. Investigations created from Splunk SOAR playbooks also appear in the analyst queue of Splunk Enterprise Security.
Start an investigation
To start a new investigation, follow these steps:
- In Splunk Enterprise Security, select Mission Control.
- From the analyst queue, select the name of the finding or finding group that you want to investigate.
- From the side panel preview, select Start investigation.
After you start an investigation, you can respond with response plans and automate your response with Splunk SOAR playbooks.
Data associated with an investigation
To view the data associated with an investigation, select the name of the investigation in the analyst queue and then select View details. The following table describes the data found in the Overview tab of the investigation details page:
Investigation data | Description |
---|---|
Events | Raw data ingested by event-based detections. |
Original event | The raw event that triggered the alert contributing to the investigation. |
Included findings and intermediate findings | Findings and intermediate findings that have been added to the investigation. |
Drill-down search | A predefined search that you can run to gather additional context about the investigation. |
Drill-down dashboard | A predefined dashboard with more than one drill-down search that you can view to gather additional context about the investigation. |
Adaptive response | A type of custom alert action that conforms to the common action model. You can trigger adaptive response actions from detections or on an ad hoc basis when examining findings and investigations. |
Detection | The detection, or the scheduled correlation search or risk rule, that generated the findings added to the investigation. |
Custom fields | Fields that you can populate on the investigation to store relevant additional information about the investigation or the response. |
Additional fields | Field-value pairs related to the investigation, such as destination, risk score, severity, and time. |
History | The progress other analysts have made on the investigation, such as status changes, notes, and automation. |
MITRE ATT&CK | The MITRE ATT&CK tactics and techniques associated with the investigation. |
Edit tags for field-value pairs in an investigation
When you're working on an investigation in Splunk Enterprise Security, you can edit and automatically save changes to the following field values using the drop-down lists in the Info section of the side panel:
- Owner
- Status
- Urgency
- Sensitivity
- Disposition
In the Overview tab, you can edit tags for field-value pairs, including custom fields you created. To edit tags for field-value pairs, follow these steps:
- In Splunk Enterprise Security, select Mission Control and then select the investigation you want to edit in the analyst queue.
- Select View details in the side panel preview of the investigation.
- In the Overview tab of the investigation, use the expansion arrows to see field-value pairs in sections such as Additional fields, Events, or MITRE Attack.
- Select the down arrow icon ( ) for the field you want to edit.
- Select Edit tags.
- Make your changes to the tags of the field-value pair.
- Select Save.
See also
For more details on starting an investigation in Splunk Enterprise Security, see the product documentation:
- Merge findings and finding groups into investigations in Splunk Enterprise Security
- View the details of an investigation in Splunk Enterprise Security
- Collaborate on investigations in Splunk Enterprise Security
- Create investigation types in Splunk Enterprise Security
- Configure investigation macros to assign investigation types in Splunk Enterprise Security
- Associate an investigation type with a response plan in Splunk Enterprise Security
Triage findings and finding groups in Splunk Enterprise Security | Respond to investigations with response plans in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!