An analyst adds a note to investigation. Another analyst from another shift delete this note.
where is the audit trail that allows me to see when and who did what in an investigation ?
According to the doc :
"Investigation details from investigations created in versions earlier than 4.6.0 of Splunk Enterprise Security are stored in two KV Store collections, investigative_canvas and investigative_canvas_entries. Those collections are preserved in version 4.6.0 but the contents are added to the new investigation KV Store collections. So to restore, you may need to restore investigation, investigation_attachment, investigation_event, investigation_lead, investigative_canvas, and investigative_canvas_leads."
But except for the investigation KV store (| rest /services/storage/investigation/investigation) I can't access the other KV store .
Is it a missing functionality ?
Thanks !