Splunk Enterprise Security

Splunk ES 4.7.6 - How do we track active investigations via lookup?

DEAD_BEEF
Builder

Is there a lookup I can use to create a custom table of active investigations? I am trying to create a table that shows all active investigations, as users by default cannot see investigations if they are not collaborators. This table will let all analysts see every active investigation, at least in an initial way. I saw this thread, but that lookup doesn't appear to work.

will2021
Engager

Bumping this thread as this is very useful information that does not seem to have a lot of documentation surrounding it.

0 Karma

robjackson
Path Finder

The only way I found. Thanks to PS.

Unfortunately, there’s no way to do this currently.

The issue isn’t with the JSON format. The permissions on that particular KV Store collection are purposefully locked down. Changing those permissions is heavily advised against internally.

Running the | rest command in Search against that endpoint will not produce any results. The only way to get that data is to run a curl command from the command line. The screenshots below show both cases. As for the command line output, that’s standard JSON that could be indexed and searched on.

DEAD_BEEF
Builder

@robjackon would you mind re-attaching the screenshots below. I would love to see the curl commands to pull this info. Thanks for the info!

0 Karma

ronald1202
New Member

I really need a solution to this problem.

0 Karma

woodcock
Esteemed Legend

You need to know that the KV Store collections are named investigative_canvas_entries and investigative_canvas. Then do what is listed here to use inputlookup to dump the collection data:

http://dev.splunk.com/view/webframework-tutorials/SP-CAAAEZW

ronald1202
New Member

this doesnt work.

0 Karma

woodcock
Esteemed Legend

I neglected to mention that you have to create a lookup definition pointing to the collection and then use inputlookup against the lookup definition, not the collection.

DEAD_BEEF
Builder

Hi @woodcock I tried using inputlookup and that returns the error, "The lookup table 'investigative_canvas_entries' is invalid." But There are multiple investigations already created. Can you expand on what you meant by "do what is listed here..."

| inputlookup investigative_canvas_entries
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...