Analyst and team-based queues in Splunk Enterprise Security
Organize findings and investigations into focused workspaces that help analysts and administrators stay aligned and efficient.
In security operations centers, analysts often specialize in different types of investigations, such as endpoint alerts, insider threats, or cloud anomalies. Each team needs a focused view of the work that matters to them without losing sight of the organization's overall activity.
Team-based queues in Splunk Enterprise Security organize findings and investigations into focused workspaces that reflect each team's responsibilities, with the flexibility to view or adjust other queues when needed. This helps security teams stay focused, reduce noise, and respond to threats faster. Administrators can also define which findings and investigations each team sees by default, ensuring that the right people are working on the right problems.
Team-based queues can help you achieve the following:
-
Focus on relevant work: See only the findings and investigations aligned with your team’s responsibilities.
-
Triage faster: Spend less time filtering and more time investigating.
-
Collaborate consistently: Work from shared views that keep teams aligned on priorities.
-
Adapt to change: Adjust queues easily as roles and responsibilities evolve.
-
Maintain visibility: Use the default analyst queue to ensure nothing is overlooked, even when items fall outside a team’s scope.
queue_id to the API if you want to send findings generated from Splunk SOAR playbooks to a specific queue. Not doing so sends them to the default analyst queue.
Comparing the admin and analyst experience for team-based queues
Team-based queues support both analysts and administrators, offering each role the context they need to work efficiently.
| Role | How they work | What they gain |
|---|---|---|
| Analysts | Start each session in a workspace that shows only the findings and investigations relevant to their team. They can still apply their own filters or reassign items that fall outside their queue. | A clearer focus on the work that matters most, with flexibility to adjust or collaborate across teams. |
| Administrators | Define and manage team workspaces that align with organizational roles. They can update queue definitions as teams change or new responsibilities emerge. | Confidence that analysts begin with the right context and that work is evenly distributed across the SOC. |
The default analyst queue
When an admin creates multiple team-based queues, Splunk Enterprise Security still maintains a default triage queue, which is the existing Analyst queue. This queue displays all findings and investigations that don't match any defined queue conditions. It functions as a catch-all view for triage or reassignment tasks, often used by Tier 1 analysts or SOC leads.
Organizations that choose not to configure team-based queues can continue using the analyst queue and saved views. See Manage saved views to display findings and investigations in Splunk Enterprise Security.
Finding groups in team queues
Finding groups are triaged only once, based on the findings present at the time of triage. If additional findings are later added and the group no longer meets the original triage conditions, it is not re-triaged or automatically moved to a different queue.
For example, if a finding group is initially triaged into a lower-risk queue, adding a new finding that increases the risk score does not move the group to a higher-risk queue. To change queues, you must move the finding group manually.
Additionally, moving a finding group to another queue does not move the underlying findings. You can expand the finding group to view its referenced findings, but you cannot select or move those findings from within the finding group drilldown view. To move an individual finding, you must do so outside of the finding group. This differs from moving an investigation, which moves all associated findings, finding groups, and related items.