Collaborate on investigations in Splunk Enterprise Security

As a security analyst, you can share information on investigations and findings with other analysts to collaborate on identifying root cause and security threats through knowledge sharing.

You can add details and evidence to your investigation such as actions, and notes. You can add findings or other events that add insight to the investigation.

Use notes and upload files to add relevant information like links to online press coverage, tweets, or screenshots. Additionally, you can record important investigation steps that you take, such as phone, email, or chat conversations as notes on the investigation.

You can also leverage features such as IDs and shared views to collaborate on open findings and investigations. Select the unique ID for investigations such as ES-11005 to copy the link to the investigation and share it with other analysts.

Assign a finding or an investigation to an analyst

Owners are unassigned by default, and you can assign findings and investigations to any user with an administrator, ess_admin, or ess_analyst role.

Note: If you use SAML authentication, it might take up to 10 minutes to update the list of users to which you can assign findings or investigations.

Follow these steps to assign a finding or an investigation to an analyst:

  1. In Splunk Enterprise Security, go to the Mission Control page.
  2. Select a finding or an investigation from the analyst queue to which you want to assign an owner.
  3. In the details page, go to the Owner drop-down and assign an owner to the finding or the investigation. Alternatively, select Assign to me by selecting the three dots Actions menu next to the finding or the investigation and assign it to yourself.
  4. (Conditional) If your Splunk Enterprise Security administrator customized the analyst queue settings to require notes, you'll need to select Save changes and then enter a note in the resulting Add note dialog box.
    1. Select Save changes to save your note.

Create and share notes on an investigation

Add a note to an investigation to record investigation details or add attachments. You can also add a note from the dashboards in Splunk Enterprise security.

Follow these steps to add and share notes on investigations in Splunk Enterprise Security:

  1. In Splunk Enterprise Security, select the Mission Control page.
  2. From the Analyst queue, go to the specific investigation to which you want to add notes and select the investigation.
  3. Select View details and go to the investigation Overview page.
  4. Go to the Notes section to view a drop-down search filter to display notes. Following are the viewing options in the drop-down:
    • Show all: Displays all the notes associated with the investigation.
    • General notes: Displays notes that are overall observations related to the investigation.
    • Finding notes: Displays notes on the findings included in the investigation.
    • Response notes: Displays notes that outline the response actions planned for the findings in the investigation.
    Select the option you want to display the specific type of notes associated with the investigation.
  5. Select the add icon (+) to add a new note.
  6. Enter a title for the note.
    For example, "Phone conversation with police." See Make note titles required or optional.
  7. (Optional) Enter a description for the note. For example, a note to record a phone conversation might include the following description: "Called the police. Spoke with Detective Reggie Martin. Discussed an employee stealing identities from other employees".
    Note: The date and time of the note is automatically populated based on when the note was created.
  8. (Optional) Attach a file to the note. Select the attachment icon and drag the file onto the Description field or select browse to find the file to add from your computer.
    Note: The maximum file size is 4 MB. You can add multiple files to a note. You can see a preview of the first file you add to the note on the investigation timeline. If the filename contains unsupported characters, select the '''Replace not supported characters with '-' ''' and then select '''Change'''.
    Alternatively, you can remove and replace the unsupported characters manually.
  9. Select Save to add the note to the open investigation.

View all notes from the included findings of an investigation

View notes from the findings or finding groups that are included in an investigation to get the complete context of linked findings when reviewing investigations. All notes from all included findings are automatically transferred to the investigation and streamline the investigation process so that you don't have to re-enter data into investigations.

Follow these steps to view all notes in an investigation:

  1. In Splunk Enterprise Security, select the investigation that you want to review from the analyst queue in the Mission Control page.
  2. Use either of the following options to view information on the finding or finding group from an investigation:
    • Select View details to open the Investigation Overview page.
    • On the side panel, scroll to the Notes section to view the notes from all the included findings.
    Note: When an investigation is started from a finding that includes notes and you modify or update the notes, those notes are displayed consistently between the investigation and the associated findings or finding groups. Similarly, finding groups also automatically include all notes from all included findings.
  3. If you want to view any finding or finding group associated with the investigation from the Notes section, select the title of the finding or finding group from the Notes section.

Create specialized notes for advanced investigations in Splunk Enterprise Security

Create specialized notes that include artifacts using searches, timelines, and other structured information such as collapsible or expandable sections to conduct advanced investigations in Splunk Enterprise Security.

Following are some of the artifacts that can be included in the notes for investigations to display structured content:
Note:

Each of these artifacts use fenced code blocks or three backticks ``` that must appear before the artifact in the note and at the end of the content. For more information on Markdown syntax such as headings, lists, emphasis, or tables, see Markdown cheatsheet.

  • SPL or Splunk-SPL artifact: Structured processing language that groups commands together to search, filter, analyze, and visualize data in Splunk deployments.

  • Timeline artifact: Visualization to highlight patterns or a cluster of events distributed over time, which allows you to identify trends, spikes, and gaps in a chronological order.

  • Collapse sections artifact: Commands to organize and manage large multi-file search results or adjust lines for events through hide or show panels.

SPL artifact

Use SPL artifacts to write a search that is easy to read, copy, and is visually distinct from the surrounding content in the note.
Note: SPL artifact is the recommended format for analyst-authored SPL in investigation notes.
Use SPL artifacts in investigation notes for the following scenarios:
  • Searches that other analysts might copy and run.
  • Hand-off notes that display how evidence was gathered.
  • Reusable triage steps embedded in investigative notes.
  • Investigation summaries that refer to one or two primary searches.
Example of SPL syntax in an investigation note
CODE 
```spl 
index=authentication user="alice"
| table _time user src action app
| sort - _time
```

The following image displays how the SPL artifact is displayed in an investigation note:

Splunk-SPL artifact

Use Splunk-SPL artifacts for generated assistant-style content when you want to mirror product-generated examples or preserve the artifact name used in system-generated output.

Use Splunk-SPL artifacts in investigation notes only when you want consistency with generated assistant content and color corrected formatting.

Example of Splunk-SPL artifact in an investigation note:
CODE 
```splunk-spl   
index=authentication user="alice"  
| table _time user src action app  
| sort - _time  
```
Following image displays how the Splunk-SPL artifact is displayed in an investigation note:

Timeline artifact

Use Timeline when you want to display the sequence of investigation events in a structured, readable format. Timeline is specifically useful for analyst handoff, incident progression, and milestone tracking.

Follow these guidelines when creating a Timeline artifact:
  • Use valid JSON for the body of the timeline block.
  • Use double quotes for all keys and string values.
  • Do not use trailing commas.
  • Keep timestamp, title, and content as strings.

The body of a timeline block is a JSON array. Each object in the array becomes one timeline entry.

Following are the three required fields:
Note: Each of these fields support string values.
  • timestamp
  • title
  • content
Required structure
JSON 
```timeline
[
  {
    "timestamp": "string",
    "title": "string",
    "content": "string"
  }
]
```
Example of Timeline artifact in an investigation note:
JSON 
```timeline
[
  {
    "timestamp": "Apr 13, 2026 10:15 AM",
    "title": "Alert triggered",
    "content": "An alert was generated for suspicious authentication activity."
  },
  {
    "timestamp": "Apr 13, 2026 10:22 AM",
    "title": "User contacted",
    "content": "The analyst contacted the user and confirmed the activity was unexpected."
  },
  {
    "timestamp": "Apr 13, 2026 10:35 AM",
    "title": "Containment started",
    "content": "The affected account password was reset and active sessions were reviewed."
  }
]
```
Following image displays how the Timeline artifact is displayed in an investigation note:

Collapse sections artifact

Use collapse-section artifacts when you want notes to be easily scannable and contain detailed information for analysts.

Use this artifact for the following scenarios:
  • Extended triage notes.
  • Embedded searches.
  • Detailed remediation plans.
  • Supporting evidence that does not dominate the note body.
Follow these guidelines when creating a Collapse section artifact:
  • The block body must be valid JSON.
  • The content field is a JSON string, not a raw multi-line block.
  • Line breaks inside content must be represented as \n.
  • You must use escape for double quotes inside content to prevent them from being interpreted as the end of the string or field.

Required structure

Note: The body of a collapse-section block is a JSON object.
JSON 
```collapse-section  
{  
 "heading": "string",  
 "content": "string",  
 "additionalProps": {  
 "defaultOpen": true,  
 "disabled": false  
 }  
}  
```

AdditionalProps

The additionalProps is an optional argument to create a Collapse section artifact and includes the following arguments:

  • defaultOpen: Optional argument that accepts either true or false values. A true value expands the collapsed section when the page is loaded.
  • Disabled: Optional argument that accepts either true or false values . A true value turns on the ability to expand the collapsed section.

Example of collapse section artifact in note

JSON 
```collapse-section
{
"heading":"Remediation plan",
"content": "
1. Reset the affected account password.\n 
2. Revoke active sessions.\n 
3. Review related authentications.\n
4. Monitor for recurrence over the next 24 hours.",
"additionalProps":
{
"defaultOpen": false
"disabled":false}
}
```
Following image displays how the Collapse section artifact is displayed in an investigation note:
Following image displays how the Expanded section artifact is displayed in an investigation note:

Use dynamic field tokens in Splunk Enterprise Security

Use dynamic field tokens in investigation notes to automatically display investigation details based on the context of the investigation without manually rewriting the same values.

Note: The token values are mutable. Thus, if a field is changed, such as $disposition$ , then the note reflecting that field updates to the current disposition.

Examples of dynamic tokens used in investigation notes

Following are some examples of tokens that can be used in investigation notes:

  • $status$
  • $disposition$
  • $urgency$
  • $severity$
  • $security_domain$
  • $incident_id$
  • $incident_create_time$
  • $incident_update_time$
  • $risk_object$
  • $risk_object_type$
  • $risk_score$
  • $rule_title$
  • $rule_description$
  • $search_name$
  • $source$
  • $creator$
  • $creator_realname$
  • $next_steps$
Note: The actual availability of a token depends on the fields available in the current investigation, finding, or consolidated summary record.

Example of dynamic token used in an investigation note

Following is an example of dynamic tokens used in an investigation note:
CODE 
Current status: $status$  
Current disposition: $disposition$  
Urgency: $urgency$  
Severity: $severity$
The following image displays how a token is displayed in an investigation note:

Edit or delete notes in an investigation

Edit or delete existing notes in an investigation by selecting the drop-down menu next to the note and then selecting the Edit or Delete option.

All changes to the notes can be tracked in the audit logs. For example, you can use the following search to identify any modifications to notes included in an investigation.

CODE 
index=_audit source=mc_notes | rex "(?<timestamp>[\d.]+),(?<incident_id>[\w-]+),(?<user>[\w_]+),(?<model>[\w]+),(?<command>[\w]+),(?<diff>.+)" | eval time=_time | table time, user, source, incident_id, diff, command

Upload files to an investigation

Upload files to add relevant information such as links to online press coverage, tweets, or screenshots.

Follow these steps to upload files to an investigation:

  1. In Splunk Enterprise Security, select the Mission Control page.
  2. From the Analyst queue, go to the specific investigation to which you want to add notes and select the investigation.
  3. Select View details and go to the investigation Overview page.
  4. Go to the Files section and select Upload files.

    Note: All file types are supported. You can also choose to drag and drop your file for upload.

Copy links to an investigation

Copy links to an investigation to share details of the information with other analysts.

Follow these steps to copy links to an investigation:

  1. In Splunk Enterprise Security, select the Mission Control page.
  2. From the Analyst queue, select the investigation for which you want to share the link.
  3. Select the ellipses drop-down in the investigation details panel, and then select Copy link to copy the investigation link on your clipboard and share it with other analysts or users.

Make files available to Splunk SOAR

If your Splunk Enterprise Security environment is paired with your Splunk SOAR environment, you can use Splunk Enterprise Security files in apps and playbooks. For example, you might create a playbook that takes files you specify and detonates them in a sandbox.

The word SOAR displays next to the name of files available in Splunk SOAR.

Note: Objects and other container attachments are stored in the vault. You can access the vault by directly uploading attachments to a container or by using the vault playbook API. If there is not sufficient storage in the vault, you cannot upload attachments. If you are paired with Splunk SOAR (Cloud), contact Splunk SOAR Support to help with storage space.
For details about the vault playbook API, see Vault background in the Python Playbook API Reference for Splunk SOAR for more information.

For information on pairing with Splunk SOAR, see Pair Splunk Enterprise Security with Splunk SOAR.

Follow these steps to make a file available to Splunk SOAR:

  1. In Splunk Enterprise Security, select the Mission Control page.
  2. From the Analyst queue, go to the investigation with the specific file and select the investigation.
  3. Select View details and go to the investigation Overview page.
  4. Go to the Files section and locate the file.
  5. Select the three dots associated with that file and select Make available to SOAR.

Follow these steps to use files available in Splunk SOAR:

  1. In Splunk Enterprise Security, select the Mission Control page.
  2. From the Analyst queue, go to the investigation with the specific file and select the investigation.
  3. Select View details and go to the investigation Overview page.
  4. Go to the Files section and locate the file.
  5. Select the three dots associated with that file and select Copy SOAR vault ID.

If you want to run a playbook that uses files in this section, you must make all files available to SOAR. If you add files later and want to include those in playbook runs, make those new files available to SOAR and run the playbook again.

Delete files from Splunk Enterprise Security, Splunk SOAR, or both

Deleting a file removes it entirely from Splunk Enterprise Security, from Splunk SOAR, or from both.

If you are using this file in another investigation, that copy of the file is not removed.

Follow these steps to delete a file:

  1. In Splunk Enterprise Security, select the Mission Control page.
  2. From the Analyst queue, go to the investigation with the specific file and select the investigation.
  3. Select View details and go to the investigation Overview page.
  4. Go to the Files section and locate the file.
  5. Select the three dots associated with that file and select Delete file.