Start with Investigation in
Use the Investigation page as the starting point to understand, investigate, and act on events. An event is a single piece of data in Splunk software with a given timestamp, host, source, and source type. Events in are also called containers. The Investigation page provides you access to event activity history, contextual and interactive data views, secure file attachments, and automation and case management controls.
The activity feed displays current and historical action and playbook activity that has acted on the currently displayed event. It provides a summary of the success, ongoing execution, and results of all automation operations for the event. The activity feed also provides team collaboration capabilities that are integrated inline with automation details and other data, forming a record of all relevant event information.
You can use to promote a verified event to a case using the integrated case management capability. Case management supports tasks that map to your defined Standard Operating Procedures (SOPs). Case management also has full access to the Automation Engine, allowing you to launch actions and playbooks as part of a task.
Open the Investigation page
To open the Investigation page, follow these steps:
- From the Home menu, select either Cases or Sources, then My Events.
- Select an event. If you do not yet have any events, select +Event to create an event.
Alternatively, select any event on the home page.
Set your view in Investigation
You can quickly view information and perform actions using the summary and analyst views in . Switch between views by selecting the toggle switch for the Summary or Analyst view in an event or case.
To learn what you can do with each view, see the following table:
|What you can do with it
|View the status of an event or case.
|View the status of an event or case and also perform actions, such as running a playbook, adding and editing a workbook, or viewing and adding artifacts.
The collapsible heads up display (HUD) helps you track important metrics and information. administrators control HUD card settings. Users can customize the HUD for an event or case by adding or removing cards, or configuring manual cards of their own design.
The following HUD card types are available:
- Preset Metrics
- Custom Fields
Preset Metrics and Custom Fields cards are defined by a administrator and display one of the built-in metrics or the information from a custom field. You can add or remove these cards, but only an administrator can change the card options. Manual cards let you add a customized card to the HUD for an event or case.
Add a card to the HUD
Perform the following steps to add a card to the HUD:
- From the Home menu, select either Cases or Sources, then select My Events.
- Select an event or case.
- Expand the HUD menu by clicking the downward-facing double chevron icon .
- Click the gear icon to open the Configure HUD modal.
- Click + HUD Card.
- Choose a HUD card type.
- Configure the available card options. The following table describes the manual card options:
Setting Description Type Text creates an input field where you can add a small amount of text.
Select creates a card with a dropdown list of options.
Message The name of the HUD card. Color The display color of the HUD card.
- Click Save.
Access Account Settings
Manage the status, severity, and resolution of events in
This documentation applies to the following versions of Splunk® SOAR (Cloud): current