Is there a lookup I can use to create a custom table of active investigations? I am trying to create a table that shows all active investigations, as users by default cannot see investigations if they are not collaborators. This table will let all analysts see every active investigation, at least in an initial way. I saw this thread, but that lookup doesn't appear to work.
The only way I found. Thanks to PS.
Unfortunately, there’s no way to do this currently.
The issue isn’t with the JSON format. The permissions on that particular KV Store collection are purposefully locked down. Changing those permissions is heavily advised against internally.
Running the | rest command in Search against that endpoint will not produce any results. The only way to get that data is to run a curl command from the command line. The screenshots below show both cases. As for the command line output, that’s standard JSON that could be indexed and searched on.
You need to know that the KV Store collections are named
investigative_canvas. Then do what is listed here to use
inputlookup to dump the collection data:
Hi @woodcock I tried using
inputlookup and that returns the error, "The lookup table 'investigative_canvas_entries' is invalid." But There are multiple investigations already created. Can you expand on what you meant by "do what is listed here..."
| inputlookup investigative_canvas_entries