Splunk Enterprise Security

How to integrate SA-Investigator with ES

richardphung
Communicator

Greetings--

I installed SA-Investigator on our ESSearchHead, but I do not understand how to launch the App.
It appears on the App Menu, but when I select it, I get the pony error page.

I am able to investigate artifacts from ES > Incident Review > Selecting the Incident > Action Menu > Investigate Asset Artifacts

but for the life of me, I can't seem to launch SA-Investigator directly to do searches... for example, I would like to utilize the File/Process Investigator

Please advise.

jamesbrock
Path Finder

To show the dashboards directly from the UI once you have the app installed.

Configure -> General -> Navigation

Create a new collection. Maybe call it "Investigators".

Add new Views:
Investigate Identity Artifacts - "ident_by_name"
Investigate Asset Artifacts - "asset_artifacts"
Investigate File/Process Artifacts - "file_artifacts"

Drag new views to the collection panel.

Save and refresh screen. It will be on the toolbar.

skalliger
Motivator

Hi,

that app is an SA, which means it's a Supporting Add-on. Thus you won't find a UI to use. As the decription says:

"SA-Investigator is an extension that integrates with Splunk Enterprise Security. It provides a set of views based on the asset, identity or file/process values. Tabs for individual data models like malware, network traffic, certificates are set up for easy viewing and allow the analyst to pivot between these views on a entities without having to open multiple dashboards and enter in criteria to start a search. Workflow actions that allow pivoting from Incident Review are also included." - so you'll find the content in ES.

Skalli

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...