Splunk Enterprise Security

Splunk ES 4.5 - How do we track removed 'investigations' created against a notable event?

lakshman239
SplunkTrust
SplunkTrust

I understand we can use the following to look at the investigations created which are 'Active'.

|inputlookup append=t investigative_canvas_lookup
|inputlookup append=t investigative_canvas_entries_lookup

How to audit/track 'removed' investigations by an analyst? The info in _audit index logs seems to not capture 'delete/remove investigations'. Any pointers/help would be appreciated.

0 Karma
1 Solution

lakshman239
SplunkTrust
SplunkTrust

Thx Luke. Looking for the 1st one mainly

View solution in original post

0 Karma

lakshman239
SplunkTrust
SplunkTrust

Thx luke and looking for a solution in near future

0 Karma

LukeMurphey
Champion

We don't currently have sufficient audit trail info for this case. We have an enhancement request to do this. For reference, the enhancement request number is SOLNESS-10790.

I'll try to remember to post back here once this gets done.

lakshman239
SplunkTrust
SplunkTrust

Thx Luke. How about for items 2 and 3 above. Just curious

0 Karma

LukeMurphey
Champion

Good question.

That enhancement request is not just to increase auditing for item 1 but to make sure we log thoroughly (which should include all three plus other actions). Our goal is to make it where any change to an investigation is logged.

0 Karma

DEAD_BEEF
Builder

Any update on request SOLNESS-10790?

0 Karma

lakshman239
SplunkTrust
SplunkTrust

Thx Luke. Looking for the 1st one mainly

View solution in original post

0 Karma

LukeMurphey
Champion

For clarification, which were you wanting to track:

  1. Deleted investigations
  2. Notables removed from investigations
  3. Records of notables that were deleted that had been associated with an investigation
0 Karma

gonz0
New Member

I have run this same search, but I get no results even tho i have investigations in journal created. how would I create such a list of all journal entries?

0 Karma

lakshman239
SplunkTrust
SplunkTrust

Item 1 above pls

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.