![]() Manually add artifacts to the scope of your investigation Assets and identities added as artifacts to the scope are not limited to the assets and identities in the asset and identity framework in Splunk Enterprise Security. You can add any value as an artifact on the workbench. If you discover that an artifact is part of the security incident you are investigating, you can add the event or detail that revealed that insight to the investigation to record that information for later. Add them to the scope first and review the relevant panels for additional context. See Add artifacts from a raw event on the investigation in this topic.įor example, if you're investigating a malware outbreak at your organization, you can add hosts to the scope that you suspect are infected with malware without adding the associated events to the timeline and recording them as verifiably compromised. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |