Is there a way to update the default collection or create a custom collection of swimlanes for the investigator dashboards for Splunk for Enterprise Security?
For example, Asset Investigator has the Default collection, the Protocol Intelligence, and then Custom for the user to pick. I'd like to either add a third collection or update the default to include an additional swimlane.
You can create new swim lanes just like most anything else...by creating a search. Except, in the context of Enterprise Security, you have to use the Content Management framework in order to create a new Swim Lane Search. Once you create that you will have a new swim lane that you can add to your custom grouping. You can find more information here:
Hope that helps!
I've created a custom swimlane for my Enterprise Security users. I was hoping to add it to the Default collection so they see it by default when they access the dashboard.
I'm trying to avoid having users have to configure the dashboard.
There is a way. You'll need to edit the "correlationsearches.conf" file, find the stanza in the file that is associated with the Swim Lane Search you created and then under that Swim Lane Search's stanza add the line
display.page.asset_investigator.0.collection_name = Default line. Just make sure you choose the proper investigator for the search - either
identity - in the line you add to the stanza. You'll also need
display.page.asset_investigator.0.order = 1 if its not already there. That ought to get the newly created swim lane search added to the default collection.
Slight correction....this should be in savedsearches.conf now....not correlationsearches.conf. correlationsearches.conf got deprecated in ES 4.6. So, if you are working in something older than 4.6, use correlationsearches.conf....4.6 and newer, use savedsearches.conf.
That did it. As a note, I had to copy 4 lines total to my swimlane from an existing swimlane:
display.page.assetinvestigator.0.collectionname = Default
display.page.assetinvestigator.0.order = 7
isvisible = false
request.uidispatchapp = SplunkEnterpriseSecuritySuite
alert.track = 0
Fantastic! Glad that did it for you! And thanks for sharing the final results that worked best for you!