Getting Data In

Splunk Enterprise Security notables and investigations | SOC analysts work with Splunk ES

splunky_diamond
Path Finder

Hello Splunkers!

I am learning Splunk, but I've never deployed or worked with Splunk ES in production environment especially in SOC.  
As you know, we have notables and investigations in ES and for both of them we can change the status to indicate when the investigation is in process or not, but I am not quite sure about how SOC actually uses these features. That's why I have couple of questions regarding that. 
1) Do analysts always start investigation when they are about to handle a notable in the incident review tab?

  Probably the first what analysts do is changing the status from new to "in progress" and assign the event to themselves, to indicate that they are handling notable, but do they also start a new investigation or add them to the existing one, or analyst can handle the notable without adding it to an existing one or starting the new investigation?

2) When a notable was added to an investigation, what do analysts do when they close they figure out the disposition (complete their investigation)? Do they merely change the status through editing the investigation and the notable in their associated tabs? Do they always put their conclusions about an incident in the comment section like described in this article: The Five Step SOC Analyst Method. This 5-step security analysis… | by Tyler Wall | Medium?

3) Does SOC analyst of the first level directly put the status "closed" when the notable/investigation  is completed, or he/she always has to put it to "resolved" for their more-experienced colleagues' confirmation?

I hope my questions are clear, thanks for taking your time reading my post and replying to it ❤️ 

Labels (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @splunky_diamond ,

there's one general answer to all your questions: it depends on your internal procedures (or playbooks), in other words, it depends on how you work.

Answering to your questions:

1)

the take in charge action is usually the first action, so I always saw that investigations were started after a SOC analyst took in charge one or more Notables (often more Notables are take in charge and associated to an investigatin in block).

2) 

usually I saw that SOC Anaysts change the status on their Notables by themselves.

3)

as I said it depends on your internal procedures, anyway, the closing is tracked.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...