Splunk® App for PCI Compliance

User Manual

Download manual as PDF

Download topic as PDF

Investigate a potential security incident on the investigation workbench in the Splunk App for PCI Compliance

Investigate assets and identities, or artifacts, involved in a potential security incident on the investigation workbench. After you create an investigation in the Splunk App for PCI Compliance, you can start using the workbench for that investigation. Each investigation has a separate workbench.

When you investigate artifacts on an investigation workbench, by default you see Context, Endpoint Data, and Network Data tabs. Those tabs contain panels that help you gain context into the assets and identities you investigate, endpoint-related data such as file system activity, and network data such as network traffic.

Add artifacts to the scope of your investigation

As part of your investigation on the workbench, you can add assets and identities as artifacts to the scope of your investigation so that you can verify whether or not they are affected by, or participants in, the overall security incident.

For example, if you're investigating a malware outbreak at your organization, you can add hosts to the scope that you suspect are infected with malware without adding the associated events to the timeline and recording them as verifiably compromised. Add them to the scope first and review the relevant panels for additional context. If you discover that an artifact is part of the security incident you are investigating, you can add the event or detail that revealed that insight to the investigation to record that information for later.

You can add any value as an artifact on the workbench. Assets and identities added as artifacts to the scope are not limited to the assets and identities in the asset and identity framework in the Splunk App for PCI Compliance.

Manually add artifacts to the scope of your investigation

You can manually add artifacts such as assets and identities to the scope of your investigation on the workbench.

  1. From the PCI menu bar, select Investigations.
  2. Open an investigation to view the workbench for that investigation.
  3. On the Artifacts panel, click Add Artifact.
    • To add one artifact, use the default Add artifact tab:
      1. For Artifact, type the value of the asset or identity.
      2. For Type, select the type of the artifact: asset or identity.
      3. (Optional) Type a description.
        For example, Personal computer infected by ransomware.
      4. (Optional) Type one or more labels to contextualize the entity. Use a comma or press enter to add multiple labels.
        For example, ransomware, laptop, mac.
      5. (Optional) Click Expand Artifacts to look up the asset or identity in the asset or identity lookups and add the correlated artifacts to the investigation scope.
    • To add multiple artifacts:
      1. Select Add multiple artifacts.
      2. Select the type: asset or identity. All artifacts that you add must be the same type.
      3. You can use a comma or a line break as a delimiter. Select a Separator that delimits the list of assets or identities.
      4. Type or paste the values for the assets or identities, using the separator specified in the previous step.
      5. (Optional) Type a description to apply to all assets or identities that you are adding.
        For example, Potentially-infected computers in the HR department.
      6. (Optional) Type one or more labels to apply to all assets or identities that you are adding.
        For example, infected, maybe, HR.
  4. Click Add to Scope to add the artifacts to your investigation scope.

The artifacts that you add to your investigation scope manually are automatically selected so that you can click Explore and continue your investigation with the new artifacts.

Add artifacts from a workbench panel

If a workbench panel has drilldown enabled, you can add field values as artifacts from the panel.

  1. Open the investigation and view the workbench.
  2. Select artifacts and click Explore.
  3. In a panel, click a field value.
    The Add Artifact dialog box appears with the value already added.
  4. Select a Type for the artifact. Some types, such as IP addresses, are automatically detected.
  5. (Optional) Add a description for the artifact.
  6. (Optional) Add labels for the artifact.
  7. (Optional) Click Expand Artifacts to look up the asset or identity in the asset or identity lookups and add the correlated artifacts to the investigation scope.
  8. Click Add to Scope to add the artifact to your investigation scope.

The ability to add artifacts replaces any other drilldown that might exist on the panel. See Administer and customize the investigation workbench in this manual.

Add artifacts from a raw event on the investigation

After you add an event to the investigation, you can add field values from the event as artifacts to your investigation scope.

  1. Open the investigation and view the Timeline of the investigation.
  2. Locate the event in the Slide View.
  3. Click Details to view a table of fields and values in the event.
  4. Click the value that you want to add to the investigation scope.
    The Add Artifact dialog box appears with the value already added.
  5. Select a Type for the artifact. Some types, such as IP addresses, are automatically detected.
  6. (Optional) Add a description for the artifact.
  7. (Optional) Add labels for the artifact.
  8. (Optional) Click Expand Artifacts to look up the asset or identity in the asset or identity lookups and add the correlated artifacts to the investigation scope.
  9. Click Add to Scope.

Adjust the time range of your investigation

If there are notable events on the investigation, the workbench searches over a suggested time range based on the times of the notable events on the investigation. Time analysis suggests a time range based on the _time value of the earliest and latest notable events on the investigation.

If there are no notable events on an investigation, the workbench uses your default time range settings. See Change the default time range in the Search Manual.

If a time range is defined in the XML or in the search of a prebuilt panel, that time range takes precedence over the time range that you choose on the workbench.

Add new tabs and profiles to the workbench

Your administrator can develop additional panels, tabs, and profiles, which you can then add to the workbench to further simplify your investigation process. See Administer and customize the investigation workbench.

Add the new profiles and tabs to an investigation workbench.

  1. Open an investigation and click Explore to explore artifacts on the workbench.
  2. Click Add Content.
  3. To load a profile on the workbench, click Load profile.
    1. Select a profile.
    2. Click Save.
  4. To add a tab to the workbench, click Add single tab.
  5. Select a profile or a tab.
    1. Click Save.


Tabs and profiles that you add to the investigation workbench disappear when you refresh the workbench. Only the default tabs display.

PREVIOUS
Start an investigation in Splunk App for PCI Compliance
  NEXT
Add details to an investigation in Splunk App for PCI Compliance

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters