Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

ES v8.x on cloud Investigations API

SOClife
Engager
Monday

All,

We are investigating a move from v7 to v8.    We currently rely heavily on the Investigation API  however per the documentation it is no longer available in v8.  The v8 API also seems to be missing a get call for notable_events.  


Is there another way in the API that we can pull details on the enterprise security events, investigations and assets for v8 or do we need to hold off on upgrading while the product matures? 

Tags (2)
0 Karma
Reply

livehybrid
Influencer
Tuesday

Hi @SOClife 

The only documented APIs for ES8 specifically are at https://docs.splunk.com/Documentation/ES/8.0.2/API/AboutSplunkESAPI and as you say, the investigation API isnt listed in here.

However - I believe some of the investigation endpoints you are looking for are actually now under the Mission Control app (See the MC APIs at https://docs.splunk.com/Documentation/MC/Current/SplunkPlaybookAPI)

If you view an investigation in the UI with the Network tab of the browser developer tools open then you will see API calls to <yourEnv>/en-US/splunkd/__raw/servicesNS/nobody/missioncontrol/v2/investigations/<GUID>/findings (for example!) - some of these map to the documented MC APIs, however I couldnt find all of them in there. Its worth capturing the payload and responses to determine what you need from them. 

As another example, loading the Incident Review in the UI loads some MC V1 API calls such as the notes endpoint.

In addition to the API calls, if you're extracting information about incidents/investigations then you may be able to perform standard SPL searches using the REST API,

| mcincidents < This will return a list of incidents within the timeframe searched
| mcincidentbyid id=ES-00001 < Return a single incident details, pass display_id or id (guid)

 

🌟 Did this answer help you? If so, please consider:

    • Adding kudos to show it was useful
    • Marking it as the solution if it resolved your issue
    • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing.

Reply

SOClife
Engager
Tuesday

Thanks @livehybrid  this is promising. Do you happen to know a search command that would give information on the artifacts associated with an incident?

0 Karma
Reply

kiran_panchavat
Influencer
Tuesday

@SOClife 

If your operations heavily depend on the Investigation API’s simplicity and no workaround (e.g., REST searches) is feasible within your timeline, sticking with v7.x until v8.x matures. 
 
There are no APIs available:-
I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.
0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top