Review investigation details in Splunk Enterprise Security

View all relevant details associated with an investigation so that you can make decisions on your next steps.

Detailed information on the investigation helps to gather situational awareness about the findings or finding groups that are added to the investigation and determine whether it represents a potential security threat. This includes information on relevant findings, events, response plans, automation results, and notes. You can also review information on the involved entities, assets, identities, known threat details using artifacts such as file hashes, executables, IP addresses, and related events. As a finding moves from triage to investigation, capabilities such as case status and dispositions help to maintain the current state of the finding and the investigation.

Follow these steps if you want to view details of an investigation:

  1. In Splunk Enterprise Security, select the investigation that you want to review from the analyst queue in the Mission Control page.
  2. Select View details to open the Overview panel.
  3. in the overview panel for the investigation, view information such as Owner, Status, Urgency, Sensitivity, and Disposition for the investigation.
    You can also view other details such as included findings, detections, adaptive response actions, and next steps associated with the investigation.
    The following table identifies the information details or fields that are available for the investigation:
    Field Description
    OwnerThe individual who is assigned the investigation
    IDA unique identification number for the investigation. For example, ES-1005. You can search for an investigation in the Mission Control page using the investigation ID. You can also select the ID to copy the link to the investigation's overview page.
    DescriptionInformation on the investigation.
    StatusWhere the investigation falls within the investigation workflow. For example, Unassigned, New (default), In-progress, Pending, Resolved, or Closed.
    UrgencyValues assigned to investigations based on the combination of the severity and priority assigned to specific fields in the assets and identities lookups. For example, Unknown, Medium, High, Critical, or Low.
    SensitivityThe sensitivity of the investigation based on the US-CERT traffic light protocol, which is mapped to the following colors: white, amber, green, and red.
    DispositionThe threat level associated with the investigation to accurately separate the false positives. For example, Undetermined, True Positive - Suspicious Activity, Benign Positive - Suspicious But Expected, False Positive - Incorrect Analytic Logic, or False Positive - Inaccurate Data.
    TypeA category level that connects investigations with specific service level agreements (SLAs) and response plans such as phishing, ransomware, crowdstrike, and so on.
  4. Review all the details associated with the finding.
  5. (Optional) You can also add notes or upload files to the investigation.
    Notes allows you to share your learnings about the investigation with the larger team.