Create a simple finding or an investigation

You can quickly create a simple finding or investigation as a starting point if you think a finding or investigation might be needed and you are unaware of the details. Creating a simple finding or investigation allows you to track security tips or manually detected threats.
Note: Most attributes and fields are no longer required to create a finding or an investigation. Additionally, you no longer need a finding to create an investigation.
  1. In Splunk Enterprise Security, select Mission Control and then select Analyst queue.
  2. In the Analyst queue page, select the + tab.
  3. Select Create new finding to create a finding that can be added to the analyst queue.
  4. In the Create new finding page, add a name for the finding in the Title field. For example: Possible Phishing attack
  5. Select Start an investigation for this finding if you want to create a new investigation for this finding.
  6. Select an investigation type from the drop-down menu if you want to create a new investigation. Otherwise you can select an existing investigation from the Select existing investigation drop down.
  7. From the Security domain drop-down, add a security domain such as Access or Endpoint.
  8. Select Save.
If you want to create an empty investigation without a finding, go to the Analyst queue page and select + and then select Create new investigation. You only need to specify the title and the investigation type to create an empty investigation and then select Save.