I installed SA-Investigator on our ESSearchHead, but I do not understand how to launch the App.
It appears on the App Menu, but when I select it, I get the pony error page.
I am able to investigate artifacts from ES > Incident Review > Selecting the Incident > Action Menu > Investigate Asset Artifacts
but for the life of me, I can't seem to launch SA-Investigator directly to do searches... for example, I would like to utilize the File/Process Investigator
that app is an SA, which means it's a Supporting Add-on. Thus you won't find a UI to use. As the decription says:
"SA-Investigator is an extension that integrates with Splunk Enterprise Security. It provides a set of views based on the asset, identity or file/process values. Tabs for individual data models like malware, network traffic, certificates are set up for easy viewing and allow the analyst to pivot between these views on a entities without having to open multiple dashboards and enter in criteria to start a search. Workflow actions that allow pivoting from Incident Review are also included." - so you'll find the content in ES.
To show the dashboards directly from the UI once you have the app installed.
Configure -> General -> Navigation
Create a new collection. Maybe call it "Investigators".
Add new Views:
Investigate Identity Artifacts - "identbyname"
Investigate Asset Artifacts - "assetartifacts"
Investigate File/Process Artifacts - "fileartifacts"
Drag new views to the collection panel.
Save and refresh screen. It will be on the toolbar.