Use the Investigation page as the starting point to understand, investigate, and act on events. An event is a single piece of data in Splunk software with a given timestamp, host, source, and source type. Events in are also called containers. The Investigation page provides you access to event activity history, contextual and interactive data views, secure file attachments, and automation and case management controls.
The activity feed displays current and historical action and playbook activity that has acted on the currently displayed event. It provides a summary of the success, ongoing execution, and results of all automation operations for the event. The activity feed also provides team collaboration capabilities that are integrated inline with automation details and other data, forming a record of all relevant event information.
Use to promote a verified event to a case using the integrated case management capability. Case management supports tasks that map to your defined Standard Operating Procedures (SOPs). Case management also has full access to the Automation Engine, allowing you to launch actions and playbooks as part of a task.
Open the Investigation page
To open the Investigation page, follow these steps:
- From the Home menu, select either Cases or Sources, then My Events.
- Select an event. If you do not yet have any events, select +Event to create an event.
Alternatively, select any event on the home page.
Set your view in Investigation
You can quickly view information and perform actions using the Summary and Analyst views in . Within an event or a case, switch between views by selecting the toggle switch for the Summary or Analyst view.
The following table describes uses for the two different views.
| View | Uses |
|---|---|
| Summary | View the status of an event or case. |
| Analyst | View the status of an event or case and also perform actions, such as running a playbook, adding and editing a workbook, or viewing and adding artifacts. |
Run a playbook manually
administrators set most playbooks to run automatically when certain conditions are met, like when an event with a certain label is created. Occasionally, you might want to manually run a playbook against an event. You can do this in the Analyst view.To run a playbook event in the Analyst view of the Investigation page, follow these steps:
- From the main menu, select Sources, or any of its subsections.
- Select an event that you want to run the playbook against.
- On the Investigation page, select the Analyst view.
- Select the Run Playbook button . A list of available playbooks appears.
- Locate the playbook you want to run. Recommended playbooks appear at the top of the list. Optionally sort the columns or use the search field.
- By default, the playbook will run only on new artifacts collected since the last run of this playbook. To change the scope, select one of the following options:
- New Artifacts: (Default) Includes only artifacts collected since the last run of this playbook.
- All Artifacts: Includes all artifacts.
- Artifact: Provide the ID of the specific artifact to include in this playbook run.
- Select Run Playbook.
View the Activity panel to see the progress of the playbook run. You can view information and perform actions within the Activity panel, including:
- View the status of the playbook run. The action is currently in progress. Select the x icon to cancel the activity. The action completes successfully. action does not complete successfully.
- View the data created from a playbook run. Expand sections to see the results of each action, like geolocation data.
from playbookdebug logpin to hudadd to case
from outputfrom 3 dots. repeat actionPin to hudadd to case
Mark as evidence
HUD cards
The collapsible heads up display (HUD) helps you track important metrics and information. administrators control HUD card settings. Users can customize the HUD for an event or case by adding or removing cards, or configuring manual cards of their own design.
The following HUD card types are available:
- Preset Metrics
- Custom Fields
- Manual
Preset Metrics and Custom Fields cards are defined by a administrator and display one of the built-in metrics or the information from a custom field. You can add or remove these cards, but only an administrator can change the card options. Manual cards let you add a customized card to the HUD for an event or case. Data-type cards include data and are displayed in the HUD table data.
Add a card to the HUD
Perform the following steps to add a card to the HUD:
- From the Home menu, select either Cases or Sources, then My Events.
- Select an event or case.
- Expand the HUD menu by selecting the downward-facing double chevron icon .
- Select the gear icon to open the Configure HUD modal.
- Select + HUD Card.
- Choose a HUD card type.
- Configure the available card options. The following table describes the manual card options:
Setting Description Type Text creates an input field where you can add a small amount of text. Select creates a card with a dropdown list of options.
Message The name of the HUD card. Color The display color of the HUD card. - To display available data-type cards, switch on the HUD table data toggle.
- Select Save.
