Splunk Enterprise Security

How to integrate SA-Investigator with ES

richardphung
Communicator

Greetings--

I installed SA-Investigator on our ESSearchHead, but I do not understand how to launch the App.
It appears on the App Menu, but when I select it, I get the pony error page.

I am able to investigate artifacts from ES > Incident Review > Selecting the Incident > Action Menu > Investigate Asset Artifacts

but for the life of me, I can't seem to launch SA-Investigator directly to do searches... for example, I would like to utilize the File/Process Investigator

Please advise.

jamesbrock
Path Finder

To show the dashboards directly from the UI once you have the app installed.

Configure -> General -> Navigation

Create a new collection. Maybe call it "Investigators".

Add new Views:
Investigate Identity Artifacts - "ident_by_name"
Investigate Asset Artifacts - "asset_artifacts"
Investigate File/Process Artifacts - "file_artifacts"

Drag new views to the collection panel.

Save and refresh screen. It will be on the toolbar.

skalliger
SplunkTrust
SplunkTrust

Hi,

that app is an SA, which means it's a Supporting Add-on. Thus you won't find a UI to use. As the decription says:

"SA-Investigator is an extension that integrates with Splunk Enterprise Security. It provides a set of views based on the asset, identity or file/process values. Tabs for individual data models like malware, network traffic, certificates are set up for easy viewing and allow the analyst to pivot between these views on a entities without having to open multiple dashboards and enter in criteria to start a search. Workflow actions that allow pivoting from Incident Review are also included." - so you'll find the content in ES.

Skalli

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...