Add users or assets to investigations in Splunk Enterprise Security

To add a user or asset to a new or existing investigation, ensure data related to that user or asset is present in the Risk Data Model. See Configure asset and identity data for UEBA in Splunk Enterprise Security.

Add a user or asset to a new or existing investigation from the User analysis or Asset analysis page in Splunk Enterprise Security. This can help you quickly act on unusual behavior without leaving the analysis workflow.

  1. In Splunk Enterprise Security, select Analytics then UEBA.
  2. Select a user or asset from the table to open the UEBA entity analysis dashboard.
  3. Select Start investigation to open the investigation dialog box. Or, if active investigations already exist with the entity, select the more icon () and then select Start investigation.
  4. Do one of the following options:

    • Create a new investigation: Enter an investigation name and optional description.

    • Add to an existing investigation: Select an investigation from the list.

  5. Select Start investigation.
After you start an investigation, a finding is automatically created for the selected user or asset. This finding includes a summary of key risk information from the Risk Data Model and becomes part of the new or existing investigation. You can find investigations in the analyst queue.
Note: On the analysis page for the user or asset, you can find related investigations in the All related investigations panel or by selecting View investigation.