Triage findings and finding groups in Splunk Enterprise Security
Triage findings and finding groups on the Mission Control page in Splunk Enterprise Security by assigning them an owner and modifying the status. Review the list of findings and finding groups in the analyst queue for potential security incidents that require further investigation.
To triage a finding or finding group, follow these steps:
- In Splunk Enterprise Security, select Mission Control to find the list of findings and investigations in the analyst queue.
- Select a finding or finding group that you want to triage from the table.
- Triage the finding or finding group by configuring your desired fields such as Owner, Status, Urgency, or Disposition.
- (Optional) Review the associated risk scores to help you determine if the finding is a potential threat.
- (Optional) Open the Detection that generated the finding.
- (Optional) Select the Drill-down search to open a predefined search and gather additional context.
Finding groups show a maximum of only 100 findings and intermediate findings. To see a complete list of all the findings contributing to a finding group, select the DEFAULT_FBD_DRILLDOWN link. Selecting the drill-down search link opens the search page in a new tab.
- (Optional) Review Included findings or Related investigations.
- (Optional) View Adaptive responses.
- (Optional) Add a note.
- (Optional) Edit the finding fields by selecting the more icon ( ) , then Edit.
See also
For more details on triaging findings and investigations in Splunk Enterprise Security, see the product documentation:
- Use findings for security monitoring in Splunk Enterprise Security
- Configure findings manually to track specific fields in Splunk Enterprise Security
- Merge findings and finding groups into investigations in Splunk Enterprise Security
- Run adaptive response actions in Splunk Enterprise Security
- Create and share notes on an investigation
- Risk scoring in Splunk Enterprise Security
Overview of Mission Control in Splunk Enterprise Security | Start investigations in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0
Feedback submitted, thanks!