Splunk® SOAR (On-premises)

Use Splunk SOAR (On-premises)

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Start with Investigation in

Use the Investigation page as the starting point to understand, investigate, and act on events. An event is a single piece of data in Splunk software with a given timestamp, host, source, and source type. Events in are also called containers. The Investigation page provides you access to event activity history, contextual and interactive data views, secure file attachments, and automation and case management controls.

The activity feed displays current and historical action and playbook activity that has acted on the currently displayed event. It provides a summary of the success, ongoing execution, and results of all automation operations for the event. The activity feed also provides team collaboration capabilities that are integrated inline with automation details and other data, forming a record of all relevant event information.

You can use to promote a verified event to a case using the integrated case management capability. Case management supports tasks that map to your defined Standard Operating Procedures (SOPs). Case management also has full access to the Automation Engine, allowing you to launch actions and playbooks as part of a task.

Open the Investigation page

To open the Investigation page, follow these steps:

  1. From the Home menu, select either Cases or Sources, then My Events.
  2. Select an event. If you do not yet have any events, select +Event to create an event.

Alternatively, select any event on the home page.

Set your view in Investigation

You can quickly view information and perform actions using the summary and analyst views in . Switch between views by selecting the toggle switch for the Summary or Analyst view in an event or case.

To learn what you can do with each view, see the following table:

View What you can do with it
Summary View the status of an event or case.
Analyst View the status of an event or case and also perform actions, such as running a playbook, adding and editing a workbook, or viewing and adding artifacts.

HUD cards

The collapsible heads up display (HUD) helps you track important metrics and information. administrators control HUD card settings. Users can customize the HUD for an event or case by adding or removing cards, or configuring manual cards of their own design.

The following HUD card types are available:

  • Preset Metrics
  • Custom Fields
  • Manual

Preset Metrics and Custom Fields cards are defined by a administrator and display one of the built-in metrics or the information from a custom field. You can add or remove these cards, but only an administrator can change the card options. Manual cards let you add a customized card to the HUD for an event or case.

Add a card to the HUD

Perform the following steps to add a card to the HUD:

  1. From the Home menu, select either Cases or Sources > My Events.
  2. Select an event or case.
  3. Expand the HUD menu by clicking the downward-facing double chevron icon Image of the icon that expands the HUD menu..
  4. Click the gear icon to open the Configure HUD modal.
  5. Click + HUD Card.
  6. Choose a HUD card type.
  7. Configure the available card options. The following table describes the manual card options:
    Setting Description
    Type Text creates an input field where you can add a small amount of text.

    Select creates a card with a dropdown list of options.

    Message The name of the HUD card.
    Color The display color of the HUD card.
  8. Click Save.
Last modified on 12 February, 2024
PREVIOUS
Access Account Settings
  NEXT
Manage the status, severity, and resolution of events in

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.1.0, 5.2.1, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0, 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters