Hello Splunkers!
I am learning Splunk, but I've never deployed or worked with Splunk ES in production environment especially in SOC.
As you know, we have notables and investigations in ES and for both of them we can change the status to indicate when the investigation is in process or not, but I am not quite sure about how SOC actually uses these features. That's why I have couple of questions regarding that.
1) Do analysts always start investigation when they are about to handle a notable in the incident review tab?
Probably the first what analysts do is changing the status from new to "in progress" and assign the event to themselves, to indicate that they are handling notable, but do they also start a new investigation or add them to the existing one, or analyst can handle the notable without adding it to an existing one or starting the new investigation?
2) When a notable was added to an investigation, what do analysts do when they close they figure out the disposition (complete their investigation)? Do they merely change the status through editing the investigation and the notable in their associated tabs? Do they always put their conclusions about an incident in the comment section like described in this article: The Five Step SOC Analyst Method. This 5-step security analysis… | by Tyler Wall | Medium?
3) Does SOC analyst of the first level directly put the status "closed" when the notable/investigation is completed, or he/she always has to put it to "resolved" for their more-experienced colleagues' confirmation?
I hope my questions are clear, thanks for taking your time reading my post and replying to it ❤️
Hi @splunky_diamond ,
there's one general answer to all your questions: it depends on your internal procedures (or playbooks), in other words, it depends on how you work.
Answering to your questions:
1)
the take in charge action is usually the first action, so I always saw that investigations were started after a SOC analyst took in charge one or more Notables (often more Notables are take in charge and associated to an investigatin in block).
2)
usually I saw that SOC Anaysts change the status on their Notables by themselves.
3)
as I said it depends on your internal procedures, anyway, the closing is tracked.
Ciao.
Giuseppe