Investigate a potential security incident on the investigation workbench in the Splunk App for PCI Compliance
Investigate assets and identities, or artifacts, involved in a potential security incident on the investigation workbench. After you create an investigation in the Splunk App for PCI Compliance, you can start using the workbench for that investigation. Each investigation has a separate workbench.
When you investigate artifacts on an investigation workbench, by default you see Context, Endpoint Data, and Network Data tabs. Those tabs contain panels that help you gain context into the assets and identities you investigate, endpoint-related data such as file system activity, and network data such as network traffic.
Add artifacts to the scope of your investigation
As part of your investigation on the workbench, you can add assets and identities as artifacts to the scope of your investigation so that you can verify whether or not they are affected by, or participants in, the overall security incident.
- Add artifacts automatically from a notable event. See Set up artifact extraction for notable events in this manual.
- Add artifacts manually. See Manually add artifacts to the scope of your investigation in this topic.
- Add artifacts from a workbench panel. See Add artifacts from a workbench panel in this topic.
- Add artifacts from an event on the investigation. See Add artifacts from a raw event on the investigation in this topic.
For example, if you're investigating a malware outbreak at your organization, you can add hosts to the scope that you suspect are infected with malware without adding the associated events to the timeline and recording them as verifiably compromised. Add them to the scope first and review the relevant panels for additional context. If you discover that an artifact is part of the security incident you are investigating, you can add the event or detail that revealed that insight to the investigation to record that information for later.
Manually add artifacts to the scope of your investigation
You can manually add artifacts such as assets and identities to the scope of your investigation on the workbench.
- From the PCI menu bar, select Investigations.
- Open an investigation to view the workbench for that investigation.
- On the Artifacts panel, click Add Artifact.
		- To add one artifact, use the default Add artifact tab:
- For Artifact, type the value of the asset or identity.
- For Type, select the type of the artifact: asset or identity.
- (Optional) Type a description. For example, Personal computer infected by ransomware.
- (Optional) Type one or more labels to contextualize the entity. Use a comma or press enter to add multiple labels. For example, ransomware, laptop, mac.
- (Optional) Click Expand Artifacts to look up the asset or identity in the asset or identity lookups and add the correlated artifacts to the investigation scope.
 
- To add multiple artifacts:
				- Select Add multiple artifacts.
- Select the type: asset or identity. All artifacts that you add must be the same type.
- You can use a comma or a line break as a delimiter. Select a Separator that delimits the list of assets or identities.
- Type or paste the values for the assets or identities, using the separator specified in the previous step.
- (Optional) Type a description to apply to all assets or identities that you are adding. For example, Potentially-infected computers in the HR department.
- (Optional) Type one or more labels to apply to all assets or identities that you are adding. For example, infected, maybe, HR.
 
 
- To add one artifact, use the default Add artifact tab:
- Click Add to Scope to add the artifacts to your investigation scope.
The artifacts that you add to your investigation scope manually are automatically selected so that you can click Explore and continue your investigation with the new artifacts.
Add artifacts from a workbench panel
If a workbench panel has drilldown enabled, you can add field values as artifacts from the panel.
- Open the investigation and view the workbench.
- Select artifacts and click Explore.
- In a panel, click a field value. The Add Artifact dialog box appears with the value already added.
- Select a Type for the artifact. Some types, such as IP addresses, are automatically detected.
- (Optional) Add a description for the artifact.
- (Optional) Add labels for the artifact.
- (Optional) Click Expand Artifacts to look up the asset or identity in the asset or identity lookups and add the correlated artifacts to the investigation scope.
- Click Add to Scope to add the artifact to your investigation scope.
The ability to add artifacts replaces any other drilldown that might exist on the panel. See Administer and customize the investigation workbench in this manual.
Add artifacts from a raw event on the investigation
After you add an event to the investigation, you can add field values from the event as artifacts to your investigation scope.
- Open the investigation and view the Timeline of the investigation.
- Locate the event in the Slide View.
- Click Details to view a table of fields and values in the event.
- Click the value that you want to add to the investigation scope. The Add Artifact dialog box appears with the value already added.
- Select a Type for the artifact. Some types, such as IP addresses, are automatically detected.
- (Optional) Add a description for the artifact.
- (Optional) Add labels for the artifact.
- (Optional) Click Expand Artifacts to look up the asset or identity in the asset or identity lookups and add the correlated artifacts to the investigation scope.
- Click Add to Scope.
Adjust the time range of your investigation
If there are notable events on the investigation, the workbench searches over a suggested time range based on the times of the notable events on the investigation. Time analysis suggests a time range based on the _time value of the earliest and latest notable events on the investigation.
If there are no notable events on an investigation, the workbench uses your default time range settings. See Change the default time range in the Search Manual.
Add new tabs and profiles to the workbench
Your administrator can develop additional panels, tabs, and profiles, which you can then add to the workbench to further simplify your investigation process. See Administer and customize the investigation workbench.
Add the new profiles and tabs to an investigation workbench.
- Open an investigation and click Explore to explore artifacts on the workbench.
- Click Add Content.
- To load a profile on the workbench, click Load profile.
- Select a profile.
- Click Save.
 
- To add a tab to the workbench, click Add single tab.
- Select a profile or a tab.
- Click Save.