In Splunk Enterprise Security, detections generate the findings and finding groups that appear in the analyst queue based on raw events and third-party alerts. An investigation is a structured approach for gathering evidence and responding to a security incident. Each investigation is based on one or more findings related to the security incident, and they appear alongside findings in the analyst queue.

As an analyst, you can use the analyst queue to review findings, finding groups, and investigations to gain insight into the severity of events occurring in your system or network.

Gain insight into findings and investigations using the pie charts and timeline visualization. To see the charts on the Mission Control page, select Charts.

The four pie charts show findings and investigations by the following criteria:

Identify when findings were generated using the timeline visualization. To display the timeline on the Mission Control page, select Timeline. You can zoom in, zoom out, select, or deselect to focus on specific periods of time and view related events that might be of interest for more targeted threat investigations.

The following high-level example workflow covers how to triage and investigate a finding by assigning it to yourself, reviewing its details, and responding to it by starting an investigation and using automation and a response plan.

1. In Splunk Enterprise Security, select Mission Control from the main menu navigation bar to view a list of findings and investigations in the analyst queue.
2. Review the findings and investigations from the last 24 hours from newest to oldest, and filter to focus on the ones that are most important to you.
3. Select the name of a finding in the analyst queue to open the side panel.
4. Triage the finding by selecting Assign to me, updating the status to reflect that you're working on it, and then selecting Save.
5. Select Start investigation, and then view details such as events, additional fields, notes, and files.
6. Add a response plan to the investigation to follow standardized tasks and phases for remediating the security incident.
7. Automate your security workflow by running actions and playbooks on the investigation to gather more information and then remediate the security incident.
8. Use threat intelligence sources to update the investigation and assess the risk posed by observables.
9. Continue to update the investigation to keep other analysts informed of your progress. For example, update the status of the investigation to Pending to reflect that you're waiting for other information, action, or help from other teams, such as a crucial playbook or action approval.
10. After you come to a conclusion about the investigation, update the disposition value. Available outcome values include True positive, Benign positive, False positive, and Undetermined.
11. Close the investigation to indicate that you took all of the appropriate actions to resolve the security incident.

Use the following links to learn more about what you can do on the Mission Control page in Splunk Enterprise Security:

• Triage findings and finding groups
• Start investigations
• Respond to investigations with response plans
• Add events to an investigation
• Automate your investigation response with actions and playbooks
• Analyze risk with risk-based alerting
• Investigate observables related to an investigation

For more details on how to customize your experience in Splunk Enterprise Security, see the following links in the Administer Splunk Enterprise Security manual:

• Manage analyst workflows using the analyst queue in Splunk Enterprise Security
• Configure the settings for the analyst queue in Splunk Enterprise Security
• Sort and filter findings and investigations for triage in Splunk Enterprise Security
• Manage saved views to display findings and investigations in Splunk Enterprise Security
• Customize table settings for the analyst queue in Splunk Enterprise Security
• Collaborate on investigations in Splunk Enterprise Security