Splunk Enterprise Security

How to integrate SA-Investigator with ES

richardphung
Communicator

Greetings--

I installed SA-Investigator on our ESSearchHead, but I do not understand how to launch the App.
It appears on the App Menu, but when I select it, I get the pony error page.

I am able to investigate artifacts from ES > Incident Review > Selecting the Incident > Action Menu > Investigate Asset Artifacts

but for the life of me, I can't seem to launch SA-Investigator directly to do searches... for example, I would like to utilize the File/Process Investigator

Please advise.

jamesbrock
Path Finder

To show the dashboards directly from the UI once you have the app installed.

Configure -> General -> Navigation

Create a new collection. Maybe call it "Investigators".

Add new Views:
Investigate Identity Artifacts - "ident_by_name"
Investigate Asset Artifacts - "asset_artifacts"
Investigate File/Process Artifacts - "file_artifacts"

Drag new views to the collection panel.

Save and refresh screen. It will be on the toolbar.

skalliger
Motivator

Hi,

that app is an SA, which means it's a Supporting Add-on. Thus you won't find a UI to use. As the decription says:

"SA-Investigator is an extension that integrates with Splunk Enterprise Security. It provides a set of views based on the asset, identity or file/process values. Tabs for individual data models like malware, network traffic, certificates are set up for easy viewing and allow the analyst to pivot between these views on a entities without having to open multiple dashboards and enter in criteria to start a search. Workflow actions that allow pivoting from Incident Review are also included." - so you'll find the content in ES.

Skalli

0 Karma
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...