Manage findings included in investigations in Splunk Enterprise Security

You can add or remove findings and finding groups from an investigation to streamline the review process and focus on the root cause.

Add findings to an investigation in Splunk Enterprise Security

Add a finding or finding group to an investigation so that you can review all the information associated with the findings in context and determine the next course of action. You can also assign an investigation to an analyst and collaborate with other analysts to review investigations.

You can add a finding to an investigation using any of the following methods:

Select Add to investigation on the Mission Control page

Follow these steps to add a finding to an investigation in Splunk Enterprise Security:

  1. In Splunk Enterprise Security, go to the Mission Control page.
  2. From the Analyst queue, select the finding or finding group that you want to convert to an investigation.
  3. Select Add to investigation to add the selected findings or finding groups to an investigation.
    Note: Findings that have already been added to an investigation have the option to View investigation, where you can either see a list of investigations that the finding is included in, or if it's only included in one, navigate directly to the investigation.
  4. Determine whether you want to create a new investigation or add the finding or finding group to an existing investigation.
  5. (conditional) if you want to create a new investigation, follow the steps to Create a new investigation
  6. (conditional)if you want to add the finding or finding group to an existing investigation, follow the steps to Add findings to an existing investigation.

Select Add to investigation from the Actions drop-down menu

Follow these steps to add a finding to an investigation in Splunk Enterprise Security:

  1. In Splunk Enterprise Security, go to the Mission Control page.
  2. From the analyst queue, select the finding or finding group that you want to convert to an investigation.
  3. Go to the three dots in the Actions drop-down menu next to the finding or finding group that you want to add to the investigation.
  4. Select Add to investigation to add the selected findings or finding groups to an investigation.
    Note: Findings that have already been added to an investigation have the option to View investigation, where you can either see a list of investigations that the finding is included in, or if it's only included in one, navigate directly to the investigation.
  5. Determine whether you want to create a new investigation or add the finding or finding group to an existing investigation.
  6. (Conditional) If you want to create a new investigation, follow the steps to Create a new investigation
  7. (Conditional) If you want to add the finding or finding group to an existing investigation, follow the steps to Add findings to an existing investigation.

Create a new investigation

Follow these steps to add findings or finding groups to a new investigation:

Prerequisite: Access the Add to investigation dialog box in Splunk Enterprise Security.

  1. In the Add to investigation dialog box, select Create new investigation.
  2. In the Name field, enter a name for the investigation.
  3. (Conditional) Select the check box to automatically update the values of the owner, status, urgency, sensitivity, and disposition of findings with the values of the investigation.
  4. Assign an owner to the investigation by using the Owner drop-down menu. For example, Splunk administrator or Lily White.
  5. Assign a status to the investigation by using the Status drop-down menu. For example, New or Unassigned.
  6. Assign an urgency to the investigation by using the Urgency drop-down menu. For example, Critical or High.
  7. Assign a sensitivity to the investigation by using the Sensitivity drop-down menu. For example, White, Green, Amber, Red, or Unassigned.
  8. Assign a disposition to the investigation by using the Disposition drop-down menu. For example, True positive -Suspicious activity
  9. In the Description field, enter a description for the investigation.
  10. Select Save.

Add findings to an existing investigation

Follow these steps to add findings and finding groups to an existing investigation:

Prerequisite: Access the Add to investigation dialog box in Splunk Enterprise Security.

  1. In the Add to investigation dialog box, select Add to existing investigation.
  2. Select an investigation from the Investigation drop-down menu or select an investigation from the list of recent investigations.
  3. (Conditional) Select the check box to automatically update the values of the owner, status, urgency, sensitivity, and disposition of findings with the values of the investigation.
  4. Select Save.

Remove findings from an investigation

Follow these steps to delete findings and finding groups from an existing investigation:

  1. In Splunk Enterprise Security, go to the Mission Control page.
  2. From the analyst queue, go to the finding or finding group that you want to remove from an investigation.
  3. Select the finding or finding group to open the finding or finding group in the finding details panel.
  4. Select the View details drop-down menu.
  5. Under Overview, select the three dots next to the finding name.
  6. Select Remove finding from investigation to delete the finding from the investigation.

Sync changes with included findings

Sync changes with included findings

Apply changes made in an investigation or finding group to all of its included findings. For example, if you reassign the owner of an investigation, you might also want that same owner assigned to all findings within it. Syncing changes helps streamline the triage process.
When you opt to sync changes, updates to specific fields automatically apply to all included findings. These fields are:

  • Owner

  • Status

  • Urgency

  • Sensitivity

  • Disposition

If a finding is included in multiple investigations or finding groups, it retains the most recent values applied to these fields. For example, if you assign a finding to yourself, and another analyst edits that same finding from a different investigation shortly after, then the finding reflects the most recent changes.
Note: New findings manually added to a finding group or investigation do not inherit the field values already set for the group.
  1. In Splunk Enterprise Security, select Mission Control to find the analyst queue.
  2. Select a finding group or investigation from the analyst queue to open the side panel.
  3. Select the check box for Apply changes to included findings.
  4. Change the values for Owner, Status, Urgency, Sensitivity, or Disposition using the drop-down menus.
  5. (Optional) To end an investigation or finding group, change the Status to one your organization designates as an end status. For example, Resolved or Closed.
    1. Select Apply in the resulting End investigation dialog box to end all included findings.