Solved: Access Finding/Investigation notes in ES 8

ljvc

Hi there,

we're currently migrating to ES 8 and need to see Work Notes (comments) provided by analysts in some dashboards/reports. Previously, the incident_updates_lookup contained the "comment" field, which held this information, and was easy to access in a search.

With ES 8, this was obviously mentioned as a limitation - "The Comments feature available in prior versions of Splunk Enterprise Security is now replaced by an enhanced capability to add notes."

How can we access those notes (KV Store/Lookup/...) outside of having to click through the Mission Control/Analyst Queue manually? Where are they stored?

ljvc

As usual, I figured it out shortly after finally asking.
Notes are kept in the mc_notes collection in the missioncontrol app, if anyone else was wondering...

View solution in original post

ljvc

As usual, I figured it out shortly after finally asking.
Notes are kept in the mc_notes collection in the missioncontrol app, if anyone else was wondering...

Access Finding/Investigation notes in ES 8

investigation

notable event

using Enterprise Security

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)

Are you a member of the Splunk Community?