Managing Investigations in Splunk

Enterprise Security

Joe Abraham
CYBERSECURITY CONSULTANT

@joeabrah www.joeabrahamtech.com
 Create and modify investigations
Can be from notable events or
manually created
Investigations Provides workbench for
Dashboard investigation collateral
- Notes
- Artifacts
- Events
 Explore investigations dashboard
Overview - Demo

Investigation management
- Demo

Course review
Let’s wrap!
Splunk ES User Guide
Working with Investigations
 Investigations Dashboard
No edit button like other dashboards

Shows names and descriptions Created and modify dates Collaborators

Investigation Workbench
 Roles and Capabilities

ess_admin can modify, ess_analyst can create

create, and manage and modify

Manage all investigations Manage your investigations

Artifact
Artifacts are objects that are associated with a
container and serve as corroboration or evidence
related to the container
Demo

Explore investigation workflows and uses

Managing the Investigations Dashboard
Modifying the Investigation Workbench

Workbench panels are a panel or dashboard that’s converted to

function in a workbench to provide additional information

Workbench profiles link workbench tabs together for use case

separation and organization

Workbench tabs are sections of information that contains

workbench panels
Tokens
Variables for information that may change dynamically
Workbench Panels
 Workbench profiles
separate views or tabs
Can be separated
by use cases
Cleans up
configuration
Workbench Tabs
Demo
Modify investigations and
investigation objects
Let’s Wrap!
 Course Review

Organizational Notable Events

Splunk ES Data
Metrics and and Incident
Inputs Security Posture Review

Audit and Security

Domain Investigations
Dashboards
 Feedback and Ratings

Course ratings and

Follow me at Pluralsight to
constructive feedback
get notified of new courses
are appreciated
Thank You!