Review investigation details in Splunk Enterprise Security
View all relevant details associated with an investigation in the Overview side panel so that you can make decisions on your next steps.
Detailed information on the investigation helps to gather situational awareness about the findings or finding groups that are added to the investigation and determine whether it represents a potential security threat. This includes information on relevant findings, events, response plans, automation results, and notes. You can also review information on the involved entities, assets, identities, known threat details using artifacts such as file hashes, executables, IP addresses, and related events. As a finding moves from triage to investigation, capabilities such as case status and dispositions help to maintain the current state of the finding and the investigation.
Follow these steps if you want to view details of an investigation:
- In Splunk Enterprise Security, select the investigation that you want to review from the analyst queue in the Mission Control page.
- Select View details to open the Overview panel.
- In the overview side panel for the investigation, review details such as the Owner, Status, Urgency, Sensitivity, and Disposition. You can also view other details such as included findings, detections, adaptive response actions, and next steps associated with the investigation.
The following table identifies the investigation details that are available for the investigation:
Field Description Owner The individual who is assigned the investigation ID A unique identification number for the investigation. For example, ES-1005. You can search for an investigation in the Mission Control page using the investigation ID. You can also select the ID to copy the link to the investigation's overview page. Description Information on the investigation. Status Where the investigation falls within the investigation workflow. For example, Unassigned, New (default), In-progress, Pending, Resolved, or Closed. Urgency Values assigned to investigations based on the combination of the severity and priority assigned to specific fields in the assets and identities lookups. For example, Unknown, Medium, High, Critical, or Low. Sensitivity The sensitivity of the investigation based on the US-CERT traffic light protocol, which is mapped to the following colors: white, amber, green, and red. Disposition The threat level associated with the investigation to accurately separate the false positives. For example, Undetermined, True Positive - Suspicious Activity, Benign Positive - Suspicious But Expected, False Positive - Incorrect Analytic Logic, or False Positive - Inaccurate Data. Type A category level that connects investigations with specific service level agreements (SLAs) and response plans such as phishing, ransomware, crowdstrike, and so on. - Expand or collapse the various aspects of the investigation for more details. For example, Threat analysis, Details, Triage plan, Threat intelligence, Drill-down and next steps, Related investigations, Response history, and Notes.
- Add notes or upload files to the investigation. Notes allows you to share any information about the investigation with the larger team.
Note: If a Splunk Enterprise Security administrator customized the analyst queue settings to require notes, you'll need to enter a note after editing any investigation fields in the resulting
Add note dialog box and then select Save changes.
- Select Shared fields in the main panel of the investigation to view all the fields that are common across the findings and finding groups within the investigation. Alternatively, you can select All fields to view all the fields associated with the findings and finding groups in an investigation.
Pre-defined fields in the investigation side panel
Use the pre-defined field groups and values in the investigation side panel to determine if a security threat such as phishing is evident. For more information, see Phishing investigation and threat analysis in Splunk Enterprise Security.
Following is the list of pre-defined fields that you can explore for further insights into the investigation:
Attack
-
annotations.mitre_attack
-
annotations.mitre_attack.mitre_description
-
annotations.mitre_attack.mitre_detection
-
annotations.mitre_attack.mitre_tactic
-
annotations.mitre_attack.mitre_tactic_id
-
annotations.mitre_attack.mitre_technique
-
annotations.mitre_attack.mitre_threat_group_name
Entity
- all_risk_objects
- risk_object
- risk_object_category
- risk_object_priority
- risk_object_type
Device
- dvc
- dvc_bunit
- dvc_category
- dvc_city
- dvc_country
- dvc_dns
- dvc_ip
- dvc_is_expected
- dvc_lat
- dvc_long
- dvc_mac
- dvc_nt_host
- dvc_owner
- dvc_pci_domain
- dvc_requires_av
- dvc_should_timesync
- dvc_should_update
Destination
- dest
- dest_bunit
- dest_category
- dest_city
- dest_country
- dest_dns
- dest_ip
- dest_is_expected
- dest_lat
- dest_long
- dest_mac
- dest_nt_domain
- dest_nt_host
- dest_owner
- dest_pci_domain
- dest_port
- dest_record
- dest_requires_av
- dest_should_timesync
- dest_should_update
- dest_threatlist_category3
- dest_threatlist_description
- dest_threatlist_name
- dest_translated_ip
- dest_translated_port
- dest_type
- dest_zone
Host
- orig_host
- orig_host_bunit
- orig_host_category
- orig_city
- orig_country
- orig_host_dns
- orig_host_ip
- orig_host_is_expected
- orig_host_lat
- orig_host_lang
- orig_host_mac
- orig_host_nt_host
- orig_host_owner
- orig_host_pci_domain
- orig_host_requires_av
- orig_host_should_timesync
- orig_host_should_update
>Source
- src
- src_bunit
- src_category
- src_city
- src_country
- src_dns
- src_ip
- src_is_expected
- src_lat
- src_long
- src_mac
- src_nt_domain
- src_nt_host
- src_owner
- src_pci_domain
- src_port
- src_record
- src_requires_av
- src_should_timesync
- src_should_update
- src_threatlist_category
- src_threatlist_name
- src_threatlist_description
- src_translated_ip
- src_translated_port
- src_type
- src_user
- src_user_bunit
- src_user_category
- src_user_email
- src_user_enddate
- src_user_first
- src_user_group
- src_user_group_id
- src_user_id
- src_user_identity
- src_user_last
- src_user_privilege
- src_user_role
- src_user_type
- src_user_work_city
- src_user_zone
Threat
- threat_category
- threat_collection
- threat_collection_key
- threat_description
- threat_group
- threat_ip
- threat_key
- threat_match_field
- threat_match_value
- threat_object
- threat_object_type
- threat_source_id
- threat_source_path
- threat_source_status
- threat_source_type
For further exploration into security threats beyond these field categories, review Additional fields. in the side panel.
See also
For more information on reviewing and collaborating on investigations, see the product documentation:
- Collaborate on investigations in Splunk Enterprise Security
- Configure the status of findings and investigations in Splunk Enterprise Security
- Configure dispositions for findings in Splunk Enterprise Security
- Investigate findings using drill-down searches and dashboards in Splunk Enterprise Security
- Managing access to investigations in Splunk Enterprise Security