Using the workbench in an Enterprise Security investigation

Solution

In Splunk Enterprise Security, an investigation is a collection of activities and notes related to work done on a specific issue, such as a breach. The investigation workbench helps you manage, visualize and coordinate activities and information. Understanding its components will help you run a smooth investigation.

1. On the Investigations dashboard, click Create New Investigation.

   By default, only ess_admin and ess_analyst have permission to start investigations.

2. Enter the required information, save the new investigation, then click on the new investigation to open the investigation workbench.
3. Add artifacts, which are assets or identities, to the investigation to determine whether they are involved in the overall incident. There are several ways to add an artifact to an investigation:
   • From a notable event. This must first be configured by an admin.
   • From a workbench panel by selecting any item shown.
   • From an investigation event on the Timeline View by clicking Details and then the value you want to add.
   • By clicking Add Artifact in the Artifact panel of the Workbench and manually adding the details.
4. Select one or more artifacts, then click Explore. This populates the Workbench with information, depending on which tab you are on:
   • Context. This tab includes panels for risk scores, IDS alerts, notable events, system vulnerabilities, OS updates, and computer inventory.
   • Endpoint Data. This tab includes panels for file system changes, registry activity, process activity, service activity, user account changes, port activity, and authentication data.
   • Network Data. This tab includes panels for web activity, email data, network traffic data, DNS data, certificate activity, and network session data.
   • Risk. This tab includes panels for risk scores, recent risk modifiers, MITRE ATT&CK techniques, and MITRE ATT&CK tactics.
   You can add additional tabs as needed for your investigation, but they do not persist; you must add them each time you view the investigation.
5. Use the Investigation Bar at the bottom of the page to do any of the following:
   • Enable livefeed. Get a visual notification when a notable event occurs for assets or identities included in the investigation. Select an investigation, click the bell icon, and toggle Enable Notification. The bell icon turns orange within five minutes of the next occurrence.
   • Add artifact.
   • Quick search. Perform a search from the Investigation Bar and add the string to an investigation. Analysts can run the saved search to view the results while investigating.
   • Add notes. Add notes detailing actions taken to mitigate the breach. You can add attachments (text or binary format) up to 4MB per. These are stored in the KV Store.
     If you create a standard note, and do not check Show on Timeline, the note will show under Notes as a draft note.
   • Add an action history item. These include:
     • Dashboards viewed
     • Notable event updated
     • Notable event suppression updated
     • Panel filtered
     • Search run
6. In the top right of the workbench, click the + to add more collaborators.

Next steps

If you found this article useful and want to advance your skills, Splunk Education offers a 13.5-hour, instructor-led course on using Splunk Enterprise Security. The hands-on labs in the course will teach you how to:

• Security monitoring and incident investigation
• Risk-based alerting
• Assets and identities
• Security domain dashboards
• User intelligence
• Web intelligence
• Threat intelligence
• Protocol intelligence

Click here for the course catalog where you can read the details about this and other Splunk Enterprise Security courses, as well as register.