Specify the display of finding groups in the analyst queue of Splunk Enterprise Security

Note: Finding-based detections in Splunk Enterprise Security are currently released as a preview feature. Preview features are provided by Splunk to you "as is" without any warranties, maintenance and support, or service level commitments. Splunk makes this preview feature available in its sole discretion and may discontinue it at any time. Use of preview features is subject to the Splunk General Terms. To provide feedback, visit the Voice of the Customer portal for finding-based detections and select Send Feedback.

Customize the display of finding groups in the analyst queue on the Mission Control page by defining the specific fields for finding groups.

Follow these steps to specify the display of finding groups in the analyst queue on the Mission Control page.

  1. In Splunk Enterprise Security, select Security content tab.
  2. Select Content management.
  3. Select Create new content and then select Detections.

    Note: You can also edit an existing detection to adjust its display in the analyst queue.
  4. Select Finding-based detection to open the detection editor.
  5. In the detection editor, go to Analyst queue.
  6. Add the criteria to specify the display of the finding groups in the Analyst queue on the Mission Control page.
    Field Description Required?
    TitleName of the finding group. Yes
    DescriptionInformation on the finding group. Yes
    Investigation typeInformation on the service level agreements and response plans associated with an investigation. Yes
    Security domainCategories to organize access to entities within a specific network or system. For example, access, identity, endpoint, network. Yes
    SeverityValue assigned to a finding, which when combined with the priority of an entity helps to generate the urgency of an event. Yes
    Default ownerOwner of the finding group. No
    Default statusStatus of the finding group. For example, New, In progress, Closed. Yes
    Drill-down searchesDrill-down searches that provide additional context to the finding group. No
    Drill-down dashboardsDrill-down dashboards that provide additional context to finding groups by allowing visibility to multiple drill-down searches. No
    Identity extractionCollect and update your identity data automatically to improve data integrity and reduce the overhead and maintenance of manual updates.
    Asset extractionCollect and update your asset data automatically to improve data integrity and reduce the overhead and maintenance of manual updates. No
    File extractionEnter a field name to extract data from a file. No
    URL extractionEnter a field name to extract data from an URL. No
    Next stepsEnter the next steps from the drop-down to address the threat. No
    Recommended actionsSpecify the adaptive response action to take from a list of adaptive response actions. No
  7. Add annotations to enrich the detection search results using the standard cybersecurity frameworks.
  8. Specify the time range to run the finding-based detection.
  9. Specify the adaptive response action for the finding-based detection.

Add a clickable URL as a next step to address a threat

Specify a URL in the Next steps field in the Analyst queue section of the detection editor. Adding next steps helps to incorporate additional information in the detection to provide context and build custom workflows during an investigation.

Follow these steps to add a URL as a next step:

  1. In Splunk Enterprise Security, select Security content tab.
  2. Select Content management.
  3. Select Create new content and then select Detections.
  4. Select Finding-based detection to open the detection editor.
  5. In the detection editor, go to Analyst queue.
  6. Go to Next Steps.
  7. From the Insert action dropdown menu, select URL.
  8. In the Add URL dialog box, enter the Display Name. For example: teamdoc
  9. Enter the URL, which can point to a wiki page, runbook, a Splunk dashboard or a third-party website. For example: https://linkname.com

    Note: The URL that you specify does not trigger any adaptive response action but you can still select the text. If you select it, the URL points to additional information.
  10. Select Save.