Enabling auto-refresh on the Analyst queue in Enterprise Security
You are a security operations center (SOC) analyst or administrator who frequently uses the Analyst queue in Splunk Enterprise Security. You’re looking for a way to streamline your workflow by enabling auto-refresh by default, so you don’t need to manually toggle it every time you log in.
Solution
This video shows you:
- How to enable or disable auto-refresh manually in the Analyst queue (formerly Incident review).
- Steps to configure auto-refresh as the default for all users by navigating to Configure > Findings and Investigations > Analyst Queue Settings and toggling the setting on.
- The effect of enabling the default setting so auto-refresh will activate automatically each time you log into the Analyst queue unless you manually turn it off.
Next steps
In addition, these resources might help you understand and implement this guidance:
- Splunk Docs: About Splunk Enterprise Security
- Product Tip: Installing and upgrading to Splunk Enterprise Security 8x
- Product Tip: Using Enterprise Security 8.0 workflows
- Product Tip: Using risk-based alerting and detection in Enterprise Security 8.0
- Product Tip: Searching investigation artifacts with the Analyst queue in Enterprise Security 8.0