Splunk Enterprise Security

Audit trail for investigations

efika
Communicator

An analyst adds a note to investigation. Another analyst from another shift delete this note.
where is the audit trail that allows me to see when and who did what in an investigation ?

According to the doc :

"Investigation details from investigations created in versions earlier than 4.6.0 of Splunk Enterprise Security are stored in two KV Store collections, investigative_canvas and investigative_canvas_entries. Those collections are preserved in version 4.6.0 but the contents are added to the new investigation KV Store collections. So to restore, you may need to restore investigationinvestigation_attachmentinvestigation_eventinvestigation_leadinvestigative_canvas, and investigative_canvas_leads."

But except for the investigation KV store (| rest /services/storage/investigation/investigation) I can't access the other KV store .

Is it a missing functionality ?

 

Thanks !

 

 

 

Labels (1)
Get Updates on the Splunk Community!

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...

Want to Reduce Costs, Mitigate Risk, Improve Performance, or Increase Efficiencies? ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...