Splunk Enterprise Security

Way to search ES Investigations for artifact or IOC?

ch1221
Path Finder

Is there a way to search all ES Investigations for a specific artifact or IOC that may be documented in the notes?

Labels (1)
0 Karma
1 Solution

lkutch_splunk
Splunk Employee
Splunk Employee

Are you referring to these notes?
https://docs.splunk.com/Documentation/ES/6.4.1/User/Addtoaninvestigation#Add_a_note_to_an_investigat...

I don't think there's a way to search for content within the notes, but only to search for the name/title of the notes. That sounds like a good idea though. Perhaps submit it to https://ideas.splunk.com/ 

 

View solution in original post

0 Karma

lkutch_splunk
Splunk Employee
Splunk Employee

Are you referring to these notes?
https://docs.splunk.com/Documentation/ES/6.4.1/User/Addtoaninvestigation#Add_a_note_to_an_investigat...

I don't think there's a way to search for content within the notes, but only to search for the name/title of the notes. That sounds like a good idea though. Perhaps submit it to https://ideas.splunk.com/ 

 

0 Karma

ch1221
Path Finder

Added as an Idea.

0 Karma

ch1221
Path Finder

Yes, those notes or any threat detection in a notable associated to an investigation would be useful.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...