Triage findings and finding groups in Splunk Enterprise Security

Triage findings and finding groups on the Mission Control page in Splunk Enterprise Security by assigning them an owner and modifying the status. Review the list of findings and finding groups in the analyst queue for potential security incidents that require further investigation.

To triage a finding or finding group, follow these steps:

In Splunk Enterprise Security, select Mission Control to find the list of findings and investigations in the analyst queue.
Select a finding or finding group that you want to triage from the table.
Triage the finding or finding group by configuring your desired fields such as Owner, Status, Urgency, or Disposition.
(Optional) Review the associated risk scores to help you determine if the finding is a potential threat.
(Optional) Open the Detection that generated the finding.
(Optional) Select the Drill-down search to open a predefined search and gather additional context.
Finding groups show a maximum of only 100 findings and intermediate findings. To see a complete list of all the findings contributing to a finding group, select the DEFAULT_FBD_DRILLDOWN link. Selecting the drill-down search link opens the search page in a new tab.
(Optional) Review Included findings or Related investigations.
(Optional) View Adaptive responses.
(Optional) Add a note.
(Optional) Edit the finding fields by selecting the more icon ( ) , then Edit.

Triage findings and finding groups in Splunk Enterprise Security

See also

Comments

Triage findings and finding groups in Splunk Enterprise Security

Was this topic useful?