SPLK-3001 Monitoring and Investigation
Monitoring and Investigation
Detailed list of SPLK-3001 knowledge points
- + ES Introduction
- + Monitoring and Investigation
- + Security Intelligence
- + Forensics, Glass Tables, and Navigation Control
- + ES Deployment
- + Installation and Configuration
- + Validating ES Data
- + Custom Add-ons
- + Tuning Correlation Searches
- + Creating Correlation Searches
- + Lookups and Identity Management
- + Threat Intelligence Framework
Monitoring and Investigation Detailed Explanation
1. What is “Monitoring and Investigation” in Splunk ES?
This part of Splunk Enterprise Security is all about what security teams do every day — watch for threats, investigate alerts, and decide what action to take.
Imagine you're part of a Security Operations Center (SOC). You sit at your desk, Splunk ES open in front of you. Suddenly, a notable event appears. Your job? Figure out what happened, who was affected, and what to do next.
That’s what this module is about: how you use Splunk ES to respond to threats.
2. Feature 1: Incident Review
This is your central hub as an analyst.
What does it do?
Shows a list of notable events (alerts that need review).
Lets you filter by:
Time
Event type
Urgency
Assigned analyst
You can assign events to yourself or teammates.
You can add comments, change the status (new, in progress, closed), and add tags for easier tracking.
Why is this important?
It allows team coordination. Everyone knows what events are being worked on, which ones are critical, and who’s responsible.
3. Feature 2: Notable Events (Refresher)
You’ve seen this in the first module, but here it’s applied more practically.
Notable Events are:
Created by correlation searches (automated detection rules).
Automatically sent to Incident Review.
Include important data:
Event name
Time
Source system
Risk score
Links to related events or users
When one appears, analysts investigate to decide if it’s:
A false alarm (no action needed)
A real threat (needs a response)
A misconfiguration (maybe the rule is too sensitive)
4. Feature 3: Event Timeline
This is a visual tool in Splunk ES that helps you see:
When each event happened
How different events are related in time
It helps answer questions like:
Did the login failure happen before or after the suspicious file download?
Were multiple systems affected at the same time?
Why is this useful?
It gives you a narrative – a story of what happened. And in cybersecurity, context is everything.
5. Feature 4: Search & Drilldown Capabilities
Splunk ES gives analysts powerful tools to dig deeper into the data behind any event.
What can you do?
Click on a field (like an IP address or username) to pivot into detailed searches.
Use time filters to zoom in on a specific period.
Apply tags or categories to group similar events.
Run custom SPL queries to explore all related logs.
Example:
A notable event says: “5 failed logins from 10.20.30.5”.
You can:
Click on the IP address → Open a search for all events from that IP.
Filter by time → Show what happened in the 10 minutes before/after.
View the raw logs → Look for patterns (e.g., other login attempts, file access, system errors).
This helps you investigate with precision.
6. Use Case: Failed Login Analysis
Let’s go through a simple use case, step by step:
Situation:
Splunk ES shows a notable event:
“Multiple failed logins for user admin from IP 10.10.1.2.”
What does the analyst do?
Open Incident Review and view the event.
Check the risk score — is it high? Medium?
Use the Event Timeline to see if this happened during off-hours or along with other activity.
Click to drill down to the raw logs:
See how many times the IP tried to log in.
Check if the attempts were brute-force (e.g., dozens in seconds).
Look up the IP address:
Is it internal or external?
Has it triggered other alerts?
Add notes, escalate to the incident response team, or close it as a false positive.
Summary of Monitoring and Investigation
This domain teaches you how to:
Use Incident Review to manage alerts.
Investigate Notable Events efficiently.
Visualize sequences with Event Timelines.
Use search and drilldown tools to find the root cause.
Monitoring and Investigation (Additional Content)
In addition to the core features of Incident Review and event analysis, there are two critical aspects that enrich the monitoring experience and improve decision-making: Urgency Classification and Adaptive Response Actions.
1. Understanding Urgency Levels in Incident Review
The Incident Review Dashboard in Splunk ES provides a centralized view of Notable Events. One of the key attributes associated with each event is its Urgency level, which helps analysts prioritize response actions based on severity.
a. Urgency Categories
Events are automatically or manually classified into four urgency levels:
Informational: No immediate action needed; often for tracking purposes.
Low: Minor anomalies or early indicators with limited risk.
Medium: Events that may warrant investigation depending on context.
High: Likely threats requiring prompt attention.
Critical: Confirmed or strongly suspected attacks that demand immediate response.
b. How Urgency Is Determined
Urgency is often calculated by combining:
Risk Score of the event (based on correlation rules, asset importance, user criticality).
Severity of the detection logic (defined in the correlation search configuration).
This formula helps assign urgency dynamically, so a low-severity event on a critical system may still result in a High or Critical urgency classification.
c. Why Urgency Matters
Helps triage and allocate analyst time effectively.
Filters allow teams to focus first on time-sensitive or high-risk incidents.
Enables better SLA tracking for incident response.
By sorting and filtering Notable Events by urgency, teams can maintain focus and avoid being overwhelmed by low-priority data.
2. Introduction to Workflows and Adaptive Response Actions
While Splunk ES is primarily an analysis and detection platform, it can also support automated or semi-automated response actions when integrated with external systems.
a. What Are Adaptive Response Actions?
Adaptive Response Actions are pre-configured responses that can be triggered from a Notable Event or correlation search. Examples include:
Blocking an IP address via firewall integration
Sending an email or SMS alert to the security team
Creating a ServiceNow ticket for follow-up
Quarantining a user or host via integration with endpoint protection tools
b. Workflow Integration
These response actions are part of customizable workflows that allow analysts to:
Investigate → Take Action → Document Results
Reduce mean time to respond (MTTR)
Ensure consistency in how incidents are handled
These features can be accessed from the Incident Review dashboard, or pre-attached to specific correlation searches for automatic execution.
Summary of Enhancements
| Feature | Purpose |
|---|---|
| Urgency Classification | Helps prioritize incidents based on risk and severity |
| Adaptive Response Actions | Enables response such as blocking IPs, notifying teams, or creating tickets |
Frequently Asked Questions
How are notable events generated within Splunk Enterprise Security?
Notable events are generated by correlation searches that detect security conditions defined by SPL queries and detection logic.
Correlation searches continuously analyze indexed data against defined detection rules. When the search condition evaluates to true, the search creates a notable event in the Incident Review dashboard. These events include contextual metadata such as severity, affected assets, and risk scores. Analysts use them as the primary entry point for investigation workflows. A common configuration mistake is disabling scheduling or misconfiguring search permissions, which prevents the correlation search from executing and therefore stops notable events from being generated.
Demand Score: 82
Exam Relevance Score: 87
What is the purpose of the Incident Review dashboard in Splunk Enterprise Security?
The Incident Review dashboard is used to triage, investigate, and manage notable events generated by correlation searches.
It acts as the central workflow interface for SOC analysts. Analysts review newly generated notable events, evaluate severity and context, assign ownership, and track status such as new, in progress, or resolved. The dashboard also allows filtering by urgency, security domain, or detection rule. Proper triage ensures analysts focus on the highest-risk alerts first. A common operational issue occurs when urgency calculations are misconfigured, which results in inaccurate prioritization of alerts.
Demand Score: 70
Exam Relevance Score: 82
What factors determine the urgency level of a notable event in Splunk Enterprise Security?
Urgency is calculated using a combination of detection severity and the priority assigned to the associated asset or identity.
Splunk ES combines the rule severity defined in the correlation search with asset and identity priority values from the Asset and Identity frameworks. The resulting urgency score determines how prominently the alert appears in Incident Review. This prioritization model helps SOC teams focus on high-value assets and critical detections. Misconfigured asset priorities can cause high-risk incidents to appear with low urgency, reducing detection effectiveness.
Demand Score: 76
Exam Relevance Score: 84
Why might a correlation search fail to produce notable events even when suspicious activity exists in the logs?
A correlation search may fail due to incorrect scheduling, missing CIM field mappings, or insufficient search permissions.
If the correlation search is disabled or scheduled incorrectly, it may not run at the expected intervals. Additionally, if the ingested logs are not mapped to the correct CIM data model fields, the search logic may not detect events. Permissions issues can also prevent searches from accessing required indexes. Troubleshooting usually begins by verifying search execution history, reviewing the SPL logic, and confirming CIM compliance.
Demand Score: 79
Exam Relevance Score: 86
What investigative actions can analysts perform directly from a notable event in Incident Review?
Analysts can pivot to investigation dashboards, examine related events, review risk scores, and assign ownership or status updates to the event.
Each notable event contains contextual information and links to investigation tools. Analysts can drill into raw search results, view associated assets or identities, or launch predefined investigative dashboards. These actions allow analysts to quickly determine whether the alert represents a true security incident. Efficient use of pivoting and contextual analysis reduces investigation time and helps maintain SOC operational efficiency.
Demand Score: 66
Exam Relevance Score: 78
