Getting Data In

Splunk Enterprise Security notables and investigations | SOC analysts work with Splunk ES

splunky_diamond
Path Finder

Hello Splunkers!

I am learning Splunk, but I've never deployed or worked with Splunk ES in production environment especially in SOC.  
As you know, we have notables and investigations in ES and for both of them we can change the status to indicate when the investigation is in process or not, but I am not quite sure about how SOC actually uses these features. That's why I have couple of questions regarding that. 
1) Do analysts always start investigation when they are about to handle a notable in the incident review tab?

  Probably the first what analysts do is changing the status from new to "in progress" and assign the event to themselves, to indicate that they are handling notable, but do they also start a new investigation or add them to the existing one, or analyst can handle the notable without adding it to an existing one or starting the new investigation?

2) When a notable was added to an investigation, what do analysts do when they close they figure out the disposition (complete their investigation)? Do they merely change the status through editing the investigation and the notable in their associated tabs? Do they always put their conclusions about an incident in the comment section like described in this article: The Five Step SOC Analyst Method. This 5-step security analysis… | by Tyler Wall | Medium?

3) Does SOC analyst of the first level directly put the status "closed" when the notable/investigation  is completed, or he/she always has to put it to "resolved" for their more-experienced colleagues' confirmation?

I hope my questions are clear, thanks for taking your time reading my post and replying to it ❤️ 

Labels (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @splunky_diamond ,

there's one general answer to all your questions: it depends on your internal procedures (or playbooks), in other words, it depends on how you work.

Answering to your questions:

1)

the take in charge action is usually the first action, so I always saw that investigations were started after a SOC analyst took in charge one or more Notables (often more Notables are take in charge and associated to an investigatin in block).

2) 

usually I saw that SOC Anaysts change the status on their Notables by themselves.

3)

as I said it depends on your internal procedures, anyway, the closing is tracked.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...