Splunk Enterprise Security
Highlighted

How to integrate SA-Investigator with ES

Communicator

Greetings--

I installed SA-Investigator on our ESSearchHead, but I do not understand how to launch the App.
It appears on the App Menu, but when I select it, I get the pony error page.

I am able to investigate artifacts from ES > Incident Review > Selecting the Incident > Action Menu > Investigate Asset Artifacts

but for the life of me, I can't seem to launch SA-Investigator directly to do searches... for example, I would like to utilize the File/Process Investigator

Please advise.

Highlighted

Re: How to integrate SA-Investigator with ES

SplunkTrust
SplunkTrust

Hi,

that app is an SA, which means it's a Supporting Add-on. Thus you won't find a UI to use. As the decription says:

"SA-Investigator is an extension that integrates with Splunk Enterprise Security. It provides a set of views based on the asset, identity or file/process values. Tabs for individual data models like malware, network traffic, certificates are set up for easy viewing and allow the analyst to pivot between these views on a entities without having to open multiple dashboards and enter in criteria to start a search. Workflow actions that allow pivoting from Incident Review are also included." - so you'll find the content in ES.

Skalli

0 Karma
Highlighted

Re: How to integrate SA-Investigator with ES

Explorer

To show the dashboards directly from the UI once you have the app installed.

Configure -> General -> Navigation

Create a new collection. Maybe call it "Investigators".

Add new Views:
Investigate Identity Artifacts - "identbyname"
Investigate Asset Artifacts - "assetartifacts"
Investigate File/Process Artifacts - "file
artifacts"

Drag new views to the collection panel.

Save and refresh screen. It will be on the toolbar.