Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

ES v8.x on cloud Investigations API

SOClife
Engager
3 weeks ago

All,

We are investigating a move from v7 to v8.    We currently rely heavily on the Investigation API  however per the documentation it is no longer available in v8.  The v8 API also seems to be missing a get call for notable_events.  


Is there another way in the API that we can pull details on the enterprise security events, investigations and assets for v8 or do we need to hold off on upgrading while the product matures? 

Tags (2)
0 Karma
Reply

livehybrid
Champion
3 weeks ago

Hi @SOClife 

The only documented APIs for ES8 specifically are at https://docs.splunk.com/Documentation/ES/8.0.2/API/AboutSplunkESAPI and as you say, the investigation API isnt listed in here.

However - I believe some of the investigation endpoints you are looking for are actually now under the Mission Control app (See the MC APIs at https://docs.splunk.com/Documentation/MC/Current/SplunkPlaybookAPI)

If you view an investigation in the UI with the Network tab of the browser developer tools open then you will see API calls to <yourEnv>/en-US/splunkd/__raw/servicesNS/nobody/missioncontrol/v2/investigations/<GUID>/findings (for example!) - some of these map to the documented MC APIs, however I couldnt find all of them in there. Its worth capturing the payload and responses to determine what you need from them. 

As another example, loading the Incident Review in the UI loads some MC V1 API calls such as the notes endpoint.

In addition to the API calls, if you're extracting information about incidents/investigations then you may be able to perform standard SPL searches using the REST API,

| mcincidents < This will return a list of incidents within the timeframe searched
| mcincidentbyid id=ES-00001 < Return a single incident details, pass display_id or id (guid)

 

🌟 Did this answer help you? If so, please consider:

    • Adding kudos to show it was useful
    • Marking it as the solution if it resolved your issue
    • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing.

Reply

SOClife
Engager
3 weeks ago

Thanks @livehybrid  this is promising. Do you happen to know a search command that would give information on the artifacts associated with an incident?

0 Karma
Reply

kiran_panchavat
Influencer
3 weeks ago

@SOClife 

If your operations heavily depend on the Investigation API’s simplicity and no workaround (e.g., REST searches) is feasible within your timeline, sticking with v7.x until v8.x matures. 
 
There are no APIs available:-
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Get Updates on the Splunk Community!

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...

This month, we’re delivering several platform, infrastructure, application and digital experience monitoring ...
Top