Configure the settings for the analyst queue in Splunk Enterprise Security

Configure settings to modify analyst capabilities and permissions to customize the display of findings and investigations in the analyst queue of the Mission Control page in Splunk Enterprise Security. You can override and replace the calculated urgency of a finding or an investigation. You can also set up a time range to ensure specific findings or investigations are displayed in the analyst queue. Additionally, you can turn on auto-refresh to update the list of findings and investigations automatically in the analyst queue.

Override and replace the calculated urgency of a finding or investigation

Follow these steps to configure whether analysts can override the calculated urgency of a finding or an investigation:

  1. In Splunk Enterprise Security, select Configure.
  2. Select Findings and investigations and then select Analyst queue settings in the left panel.
  3. In the Findings and investigations section, turn off the button to override and replace the calculated urgency of findings and investigations. When this button is turned on, the urgency level is displayed for findings and investigations in the analyst queue.
    Note: Analysts are allowed to override urgency by default.

Hide or show duplicate findings that have been added to an investigation

Task for how to hide duplicate findings added to an investigation.

A finding that is part of an investigation can appear both nested under the investigation and also as a separate listing in the analyst queue. You can opt to show the finding in both locations, or you can hide the finding so that it only appears nested under an investigation.

To prevent duplicate work, opt to hide findings from the top-level analyst queue if they've been added to an investigation. Hiding findings lets SOC analysts know if a finding is already in an investigation so that they don't start working on a finding already in progress. With this option turned on, the analyst queue at the top-level only shows findings that have not been added to any investigations.

To hide finding duplicates that have been added to an investigation, follow these steps:

  1. In Splunk Enterprise Security, select Configure then Findings and investigations and then Analyst queue settings.
  2. In the Investigations and findings section, turn on Hide findings.
    Note: Turning off this option can show duplicate findings: one in the top-level analyst queue plus its duplicates nested under investigations.

Make notes required or optional

Task for how to make notes required or optional

As an admin, you can choose whether notes are required or optional during triage.

Requiring notes ensures that analysts document updates they make to a finding or investigation. Keeping notes optional allows them to triage more quickly without adding notes.

To change the note requirement setting, follow these steps:

  1. In Splunk Enterprise Security, select Configure then Findings and investigations and then Analyst queue settings.
    Note: You can also access the analyst queue settings by selecting the table settings icon on the Mission Control page and then selecting the link to the analyst queue settings.
  2. In the Notes section, select the toggle switch to turn on or turn off the Required setting.
  3. Enter a number to set a minimum character requirement for notes. If you don't want to set a minimum length, enter 0.

Make note titles required or optional

Task for how to change note requirement setting.

As an admin, you can choose whether to make note titles optional or required.

Making note titles optional allows analysts to document finding or investigation updates quickly without extra steps. Requiring note titles ensures that each note has a consistent title summary for finding and investigation updates.

To change the note title requirement setting, follow these steps:

  1. In Splunk Enterprise Security, select Configure then Findings and investigations and then Analyst queue settings.
  2. In the Notes section, select the toggle switch to turn on or turn off Show note title. Showing a note title requires analysts to add a title to any note they add. Turning off this option allows analysts to add a note without a title.

Add a default time range for findings and investigations

Add a default time range to the analyst queue so that only the items created or edited within that time frame appear in the analyst queue. Adding a default time range helps to keep the number of findings and investigations in the analyst queue to a manageable level.

Follow these steps to add a default time range for displaying findings and investigations:

  1. In Splunk Enterprise Security, select Configure.
  2. Select Findings and investigations and then select Analyst queue settings in the left panel.
  3. In the Analyst queue settings section, go to Analyst queue: Default time range.
  4. Enter an Earliest time and Latest time to specify the time window.

Turn on auto-refresh to update findings and investigations

Configure a specific frequency to refresh findings and investigations on the Mission Control page so that they get automatically updated and new findings can be addressed in a timely manner.

Follow these steps to configure a specific frequency to auto-refresh findings and investigations:

  1. In the Splunk Enterprise Security app, select Configure.
  2. Select Findings and investigations and then select Analyst queue settings in the left panel.
  3. In the Analyst queue settings dialog, go to Analyst queue: Auto-refresh.
  4. Turn on the Auto refresh button to display the auto refresh option on the Mission Control page.
  5. Select the default state whether you want auto-refresh to be tuned off by default or not.
  6. Select a default time to auto-refresh findings from the Time interval drop down. You can select any of the following options: 30 seconds, 1 minute, 2 minutes, or 5 minutes.

After auto-refresh is configured in the Analyst queue settings, you still have the option to turn it on or off when you select Auto refresh on or Auto refresh off from the Mission Control page.