SPLK-2003 The Investigation Page

The Investigation Page Detailed Explanation

1. Purpose

The Investigation Page is the central workspace in Splunk SOAR where analysts interact with a specific incident or case.

Think of it as your mission control panel for each alert. Once an event is triggered and turned into a case or investigation, this is where all the details live and where analysts do their hands-on work.

It brings together all of the information, playbook results, actions, and notes into one place — making the incident easier to understand, respond to, and document.

2. Key Components

a. Timeline View

What it shows:

• A chronological list of everything that has happened related to the case.

• This includes:

  • Automated actions (from playbooks).

  • Manual analyst actions.

  • Decision outcomes.

  • Notes and comments.

  • Event status changes (e.g., from Open → Closed).

Why it’s important:

• Helps you see the full story of the incident.

• Makes it easier to audit or review what actions were taken and when.

• Provides clear documentation for reporting and compliance.

b. Artifacts Panel

What are artifacts?

Artifacts are pieces of evidence or data that were collected during the event or incident. These can include:

• IP addresses

• File hashes (MD5, SHA1, SHA256)

• URLs

• Usernames

• Email addresses

• Hostnames

What the panel does:

• Displays all artifacts in a structured table.

• Lets you sort or filter them by type.

• Allows you to select specific artifacts and take action on them directly (e.g., check reputation, enrich data, run a playbook).

Why it’s helpful:

• You don’t need to scroll through raw logs.

• All critical data points are extracted and clearly shown.

• You can quickly interact with just the parts you care about.

c. Manual Actions Panel

What it does:

• Lets analysts manually trigger actions or playbooks from within the investigation.

• You can:

  • Run a specific asset action (e.g., “Query IP reputation” using VirusTotal).

  • Choose a playbook to run just for one artifact.

  • Customize input parameters before execution.

Why this matters:

• Sometimes automation can’t decide everything — human judgment is needed.

• Gives analysts flexibility and control during investigations.

• Helps analysts respond to new developments as the investigation unfolds.

d. Notes Section

Purpose:

• Provides a space for analysts to write comments, observations, and updates throughout the investigation.

How it’s used:

• Log hypotheses or findings (e.g., “This IP is part of a known phishing campaign”).

• Collaborate with other analysts in shifts or across teams.

• Record decisions made manually (e.g., “User was contacted and confirmed unusual activity”).

Benefits:

• Keeps everything documented in one place.

• Makes it easier for team members to stay aligned.

• Provides historical reference for future investigations or audits.

3. Use Cases

Let’s look at how analysts actually use the Investigation Page during their workflow:

a. Perform Enrichment of Indicators

Example:

• You see an IP address in the artifact panel.

• You run an enrichment playbook to:

  • Get geolocation

  • Query threat intelligence sources

  • Check past behavior in your SIEM

This helps determine if the IP is benign or malicious.

b. Launch Containment Actions

From the same interface, you can:

• Block a suspicious IP on a firewall.

• Disable a compromised user account.

• Quarantine an infected endpoint.

These actions can be triggered manually or via playbooks with just a few clicks.

c. Monitor and Intervene During Automation

Playbooks don’t always run perfectly. In the Investigation Page, analysts can:

• Watch live as each step of the playbook runs.

• Pause, cancel, or adjust the playbook flow.

• Step in to provide manual input if the playbook needs a decision or clarification.

This lets analysts blend automation and human expertise for faster, smarter incident response.

Summary

Component	Function
Timeline View	Shows a complete history of everything done on the case
Artifacts Panel	Displays and allows action on data like IPs, hashes, URLs
Manual Actions Panel	Lets analysts run playbooks and actions manually
Notes Section	Used to document findings, decisions, and collaborate with teammates

The Investigation Page (Additional Content)

1. Artifact Pinning and Criticality Flags

Analysts often need to highlight key data points (artifacts) within a case to draw attention for triage or collaboration. Splunk SOAR supports artifact annotation features to support this.

a. Pinning Artifacts

• Analysts can "pin" artifacts to the top of the page or to a summary panel.

• Pinned artifacts become more visible in the Investigation Overview, making it easier for other team members to quickly identify what matters.

b. Marking as Critical

• Certain artifacts (e.g., IPs, file hashes, or email addresses) can be flagged as critical.

• This helps in:

  • Prioritizing actions

  • Triggering additional playbooks or alerts

  • Auditing post-incident reviews

c. Exam Relevance

"How can an analyst highlight a suspicious IP address so it stands out in the investigation view?"
Correct answer: By pinning it or marking it as critical

2. Real-Time Playbook Monitoring and Debugging

The Investigation Page includes features to observe and control playbook execution live, which is essential for advanced incident handling.

a. Live Block Status Monitoring

• Each block (action, decision, prompt) of a running playbook is shown in real-time.

• Analysts can see:

  • Which blocks are currently executing

  • Success/failure states

  • Output values of actions

b. Debug Logs Access

• If an action fails or behaves unexpectedly, analysts can:

  • Click into the block to see execution logs

  • View variable values and errors

• This is essential for troubleshooting failed automation

c. Intervention Options

• Playbook execution can be:

  • Paused

  • Aborted

  • Manually redirected, especially if a user prompt or decision is required

d. Exam Relevance

"Where can an analyst check the outcome of each action in a playbook while it’s running?"
Correct answer: Within the Investigation Page's live playbook view

3. Evidence Export and Case Reporting

The Investigation Page is also a hub for generating and exporting documentation after an incident is closed — often required in compliance-driven environments.

a. Generating Case Reports

• Analysts can collect:

  • Timeline history

  • Analyst notes

  • Artifact interactions

  • Playbook execution results

• This can be exported as:

  • Case Summary Report

  • Audit Trail Document

b. Use Cases

• Supports:

  • Incident closure reviews

  • Internal audits

  • External compliance reports (e.g., for GDPR, HIPAA, or SOC2)

c. Exam Relevance

"After closing a case, how can an analyst prepare documentation for audit purposes?"
Correct answer: Export a case report or timeline from the Investigation Page

Summary

Feature	Description
Artifact Pinning	Highlights critical data points visually during triage
Critical Marking	Flags high-risk artifacts for prioritization and collaboration
Live Playbook Monitoring	View each step’s execution status and outputs in real-time
Debug Logs	Inspect action logs and values for troubleshooting
Playbook Control	Analysts can pause, cancel, or intervene manually
Case Report Export	Generate documentation for audits, compliance, or summaries