Triage notable events on Incident Review in Splunk Enterprise Security
Use the Incident Review dashboard as part of your incident triage workflow. You can monitor notable events and the actions that analysts take to resolve the issues that triggered a notable event.
Speed up your notable event triage with search filters, tagging, and sorting. For example, focus on groups of notable events or an individual notable event with the search filters and time range selector. Notable events contain Urgency, Status, and Owner fields to help you categorize, track, and assign events.
Simplify searching and add identifiers to notable events using tags. Click Edit Tags in the field actions menu for a notable event field such as Title, Status, or Owner to add new tags or modify existing ones. After you create a tag, you can use it to filter the dashboard.
You can filter for notable events created by the same correlation search using the Correlation Search Name filter to type the name of the correlation search that created a notable event. As you type, the correlation search names appear for you to select.
Type SPL into the Search filter to search within the notable event details of notable events on Incident Review.
If you added notable events to investigations, or generated short IDs for notable events to share them with other analysts, you can filter by the Associations filter to quickly view the notable events associated with a specific investigation or the notable event represented by a short identifier. However, the short ID filter dropdown lists all short IDs, including notable events that are suppressed. If the notable event is suppressed, you will not be able to see it in Incident Review when filtering on short ID.
If you want to see a filtered view of Incident Review by default, ask your ES admin to modify the navigation menu in Enterprise Security to link directly to a filtered view. See Add a link to a filtered view of Incident Review in Administer Splunk Enterprise Security.
Assign notable events
You can assign one event at a time or several at once.
- Select a notable event.
- Click Edit selected.
- Select an Owner to assign the event or events to. Or, click Assign to me to assign the event or events to yourself.
- Save your changes.
Owners are unassigned by default, and you can assign notable events to any user with an administrator, ess_admin, or ess_analyst role. For more on user roles, see Configure users and roles in the Installation and Upgrade Manual.
If you use SAML authentication, it can take up to 10 minutes to update the list of users that you can assign notable events to.
Update the status of a notable event
New notable events have the New status. As analysts triage and move a notable event through the incident review workflow, the owner can update the status of the notable event to reflect the actions they take to address the event.
- Select one or more events, then click Edit all selected. To take action on all displayed events, click Edit all ## matching events.
- In the Edit Events window, update the fields to reflect your actions.
- (Optional) Add a Comment to describe the actions you took.
- Save changes.
If your ES administrator customized the Incident Review dashboard, you might be required to enter comments when updating a notable event. See Customize Incident Review in Splunk Enterprise Security for more information about how ES admins can customize the ways that analysts view and interact with notable events.
If your changes are not immediately visible, check the dashboard filters. For example, if the filter is set to "New" after you changed an event to "In Progress", your updated event will not display.
You can choose from the following notable event statuses.
|Unassigned||Used by Enterprise Security when an error prevents the notable event from having a valid status assignment.|
|New||Default status. The event has not been reviewed.|
|In Progress||An owner is investigating the event.|
|Pending||An action must occur before the event can be closed.|
|Resolved||The owner has addressed the cause of the event and is waiting for verification.|
|Closed||The resolution of the event has been verified.|
You can customize the notable event status names and workflow progression to match your process. For more information, see Manage notable event statuses.
Prioritize notable events by urgency
Use the urgency level of a notable event to prioritize incident review. Every notable event is assigned an urgency. Urgency levels can be unknown, low, medium, informational, high, or critical.
Urgency levels are calculated using the severity of the correlation search event and the priority of the asset or identity involved in the event. See How urgency is assigned to notable events in Splunk Enterprise Security.
By default, security analysts can change the urgency of a notable event. See Customize Incident Review in Splunk Enterprise Security to learn how to change that default.
Overview of Incident Review in Splunk Enterprise Security
Investigate a notable event on Incident Review in Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only