Collaborate on investigations in Splunk Enterprise Security

As a security analyst, you can share information on investigations and findings with other analysts to collaborate on identifying root cause and security threats through knowledge sharing.

You can add details and evidence to your investigation such as actions, and notes. You can add findings or other events that add insight to the investigation.

Use notes and upload files to add relevant information like links to online press coverage, tweets, or screenshots. Additionally, you can record important investigation steps that you take, such as phone, email, or chat conversations as notes on the investigation.

You can also leverage features such as IDs and shared views to collaborate on open findings and investigations. Select the unique ID for investigations such as ES-11005 to copy the link to the investigation and share it with other analysts.

Assign a finding or an investigation to an analyst

Owners are unassigned by default, and you can assign findings and investigations to any user with an administrator, ess_admin, or ess_analyst role.

Note: If you use SAML authentication, it might take up to 10 minutes to update the list of users to which you can assign findings or investigations.

Follow these steps to assign a finding or an investigation to an analyst:

  1. In Splunk Enterprise Security, go to the Mission Control page.
  2. Select a finding or an investigation from the Analyst queue to which you want to assign an owner.
  3. In the details page, go to Owner drop-down and assign an owner to the finding or the investigation. Alternatively, select Assign to me by selecting the three dots Actions menu next to the finding or the investigation and assign it to yourself.
  4. (optional) Add notes to the finding or the investigation.
  5. Select Save to save your changes.

Create and share notes on an investigation

Add a note to an investigation to record investigation details or add attachments. You can also add a note from the dashboards in Splunk Enterprise security.

Follow these steps to add and share notes on investigations in Splunk Enterprise Security:

  1. In Splunk Enterprise Security, select the Mission Control page.
  2. From the Analyst queue, go to the specific investigation to which you want to add notes and select the investigation.
  3. Select View details and go to the investigation Overview page.
  4. Go to the Notes section to view a drop-down search filter to display notes. Following are the viewing options in the drop-down:
    • Show all: Displays all the notes associated with the investigation.
    • General notes: Displays notes that are overall observations related to the investigation.
    • Finding notes: Displays notes on the findings included in the investigation.
    • Response notes: Displays notes that outline the response actions planned for the findings in the investigation.
    Select the option you want to display the specific type of notes associated with the investigation.
  5. Select the add icon (+) to add a new note.
  6. Enter a title for the note.
    For example, "Phone conversation with police."
  7. (optional)Enter a description for the note. For example, a note to record a phone conversation might include the following description: "Called the police. Spoke with Detective Reggie Martin. Discussed an employee stealing identities from other employees".
    Note: The date and time of the note is automatically populated based on when the note was created.
  8. (optional): Attach a file to the note. Select the attachment icon and drag the file onto the Description field or select browse to find the file to add from your computer.
    Note: The maximum file size is 4 MB. You can add multiple files to a note. You can see a preview of the first file you add to the note on the investigation timeline. If the filename contains unsupported characters, select the '''Replace not supported characters with '-' ''' and then select '''Change'''.
    Alternatively, you can remove and replace the unsupported characters manually.
  9. Select Save to add the note to the open investigation.

Edit or delete notes in an investigation

Edit or delete existing notes in an investigation by selecting the drop-down menu next to the note and then selecting the Edit or Delete option.

All changes to the notes can be tracked in the audit logs. For example, you can use the following search to identify any modifications to notes included in an investigation. 

index=_audit source=mc_notes | rex "(?<timestamp>[\d.]+),(?<incident_id>[\w-]+),(?<user>[\w_]+),(?<model>[\w]+),(?<command>[\w]+),(?<diff>.+)" | eval time=_time | table time, user, source, incident_id, diff, command

Upload files to an investigation

Upload files to add relevant information such as links to online press coverage, tweets, or screenshots.

Follow these steps to upload files to an investigation:

  1. In Splunk Enterprise Security, select the Mission Control page.
  2. From the Analyst queue, go to the specific investigation to which you want to add notes and select the investigation.
  3. Select View details and go to the investigation Overview page.
  4. Go to the Files section and select Upload files.

    Note: All file types are supported. You can also choose to drag and drop your file for upload.

Copy links to an investigation

Copy links to an investigation to share details of the information with other analysts.

Follow these steps to copy links to an investigation:

  1. In Splunk Enterprise Security, select the Mission Control page.
  2. From the Analyst queue, select the investigation for which you want to share the link.
  3. Select the ellipses drop-down in the investigation details panel, and then select Copy link to copy the investigation link on your clipboard and share it with other analysts or users.

Make files available to Splunk SOAR

If your Splunk Enterprise Security environment is paired with your Splunk SOAR environment, you can use Splunk Enterprise Security files in apps and playbooks. For example, you might create a playbook that takes files you specify and detonates them in a sandbox.

The word SOAR displays next to the name of files available in Splunk SOAR.

For information on pairing with Splunk SOAR, see Pair Splunk Enterprise Security with Splunk SOAR.

Follow these steps to make a file available to Splunk SOAR:

  1. In Splunk Enterprise Security, select the Mission Control page.
  2. From the Analyst queue, go to the investigation with the specific file and select the investigation.
  3. Select View details and go to the investigation Overview page.
  4. Go to the Files section and locate the file.
  5. Select the three dots associated with that file and select Make available to SOAR.

Follow these steps to use files available in Splunk SOAR:

  1. In Splunk Enterprise Security, select the Mission Control page.
  2. From the Analyst queue, go to the investigation with the specific file and select the investigation.
  3. Select View details and go to the investigation Overview page.
  4. Go to the Files section and locate the file.
  5. Select the three dots associated with that file and select Copy SOAR vault ID.

If you want to run a playbook that uses files in this section, you must make all files available to SOAR. If you add files later and want to include those in playbook runs, make those new files available to SOAR and run the playbook again.

Delete files from Splunk Enterprise Security, Splunk SOAR, or both

Deleting a file removes it entirely from Splunk Enterprise Security, from Splunk SOAR, or from both.

If you are using this file in another investigation, that copy of the file is not removed.

Follow these steps to delete a file:

  1. In Splunk Enterprise Security, select the Mission Control page.
  2. From the Analyst queue, go to the investigation with the specific file and select the investigation.
  3. Select View details and go to the investigation Overview page.
  4. Go to the Files section and locate the file.
  5. Select the three dots associated with that file and select Delete file.