How to integrate SA-Investigator with ES

richardphung · ‎04-05-2019

Greetings--

I installed SA-Investigator on our ESSearchHead, but I do not understand how to launch the App.
It appears on the App Menu, but when I select it, I get the pony error page.

I am able to investigate artifacts from ES > Incident Review > Selecting the Incident > Action Menu > Investigate Asset Artifacts

but for the life of me, I can't seem to launch SA-Investigator directly to do searches... for example, I would like to utilize the File/Process Investigator

Please advise.

jamesbrock · ‎06-12-2019

To show the dashboards directly from the UI once you have the app installed.

Configure -> General -> Navigation

Create a new collection. Maybe call it "Investigators".

Add new Views:
Investigate Identity Artifacts - "ident_by_name"
Investigate Asset Artifacts - "asset_artifacts"
Investigate File/Process Artifacts - "file_artifacts"

Drag new views to the collection panel.

Save and refresh screen. It will be on the toolbar.

skalliger · ‎04-07-2019

Hi,

that app is an SA, which means it's a Supporting Add-on. Thus you won't find a UI to use. As the decription says:

"SA-Investigator is an extension that integrates with Splunk Enterprise Security. It provides a set of views based on the asset, identity or file/process values. Tabs for individual data models like malware, network traffic, certificates are set up for easy viewing and allow the analyst to pivot between these views on a entities without having to open multiple dashboards and enter in criteria to start a search. Workflow actions that allow pivoting from Incident Review are also included." - so you'll find the content in ES.

Skalli

How to integrate SA-Investigator with ES

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...