Splunk Enterprise Security

Splunk ES 4.5 - How do we track removed 'investigations' created against a notable event?

lakshman239
Influencer

I understand we can use the following to look at the investigations created which are 'Active'.

|inputlookup append=t investigative_canvas_lookup
|inputlookup append=t investigative_canvas_entries_lookup

How to audit/track 'removed' investigations by an analyst? The info in _audit index logs seems to not capture 'delete/remove investigations'. Any pointers/help would be appreciated.

0 Karma
1 Solution

lakshman239
Influencer

Thx Luke. Looking for the 1st one mainly

View solution in original post

0 Karma

lakshman239
Influencer

Thx luke and looking for a solution in near future

0 Karma

LukeMurphey
Champion

We don't currently have sufficient audit trail info for this case. We have an enhancement request to do this. For reference, the enhancement request number is SOLNESS-10790.

I'll try to remember to post back here once this gets done.

lakshman239
Influencer

Thx Luke. How about for items 2 and 3 above. Just curious

0 Karma

LukeMurphey
Champion

Good question.

That enhancement request is not just to increase auditing for item 1 but to make sure we log thoroughly (which should include all three plus other actions). Our goal is to make it where any change to an investigation is logged.

0 Karma

DEAD_BEEF
Builder

Any update on request SOLNESS-10790?

0 Karma

lakshman239
Influencer

Thx Luke. Looking for the 1st one mainly

0 Karma

LukeMurphey
Champion

For clarification, which were you wanting to track:

  1. Deleted investigations
  2. Notables removed from investigations
  3. Records of notables that were deleted that had been associated with an investigation
0 Karma

gonz0
New Member

I have run this same search, but I get no results even tho i have investigations in journal created. how would I create such a list of all journal entries?

0 Karma

lakshman239
Influencer

Item 1 above pls

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...