Visualize and document the steps you take during an investigation by creating and adding details to an investigation in .
- Start an investigation in .
- Investigate a potential security incident on the investigation workbench in
- Add details to an investigation in .
- Make changes to an investigation in .
- Collaborate on an investigation in .
- Review an investigation in .
- Share or print an investigation in .
- Review the summary of an investigation in .
You can start, manage, and add details to investigations on the Investigations page. View or filter the investigations assigned to you, or create one. You can view all investigations that you collaborate on using the Investigations page. As an analyst, you can only see investigations assigned to you if you also have been granted the capability to manage all investigations.
Manage your investigations
Manage ongoing investigations from the Investigations page. You can see the titles, descriptions, time created, last modified time, and collaborators on the investigations assigned to you. If you have the capability to manage all investigations, you can see all the same details for all investigations, not just the investigations that you collaborate on.
Find an investigation or refine the list of investigations by filtering. Type in the Filter box to search the title and description fields of investigations.
Example investigation workflow
- You are notified of a security incident that needs investigation through a notable event, an alert action, or by an email, ticket from the help desk, or a phone call.
- Create an investigation in .
- If you must work with someone else on the investigation, add them as a collaborator.
- Investigate the incident. While you investigate, add helpful or insightful steps to the investigation.
- Run searches, adding useful searches to the investigation from your action history with the investigation bar or relevant events using event actions. This makes it easy to replicate your work for future, similar investigations, and to make a comprehensive record of your investigation process.
- Filter dashboards to focus on specific elements, like narrowing down a swim lane search to focus on a specific asset or identity on the asset or identity investigator dashboards. Add insightful filtering actions from your action history to the investigation using the investigation bar.
- Triage and investigate potentially related notable events. Add relevant notable events to the investigation.
- Add notes to record other investigation steps, such as notes from a phone call, email or chat conversations, links to press coverage or social media posts. Upload files like screenshots or forensic investigation files.
- Complete the investigation and add a note to record a summary of your findings.
Predictive Analytics dashboard
Start an investigation in
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.3.0, 4.4.0, 4.4.1, 4.5.0 Cloud only, 4.6.0, 4.6.2
Feedback submitted, thanks!