An analyst adds a note to investigation. Another analyst from another shift delete this note. where is the audit trail that allows me to see when and who did what in an investigation ? According to the doc : "Investigation details from investigations created in versions earlier than 4.6.0 of Splunk Enterprise Security are stored in two KV Store collections, investigative_canvas and investigative_canvas_entries. Those collections are preserved in version 4.6.0 but the contents are added to the new investigation KV Store collections. So to restore, you may need to restore investigation, investigation_attachment, investigation_event, investigation_lead, investigative_canvas, and investigative_canvas_leads." But except for the investigation KV store (| rest /services/storage/investigation/investigation) I can't access the other KV store . Is it a missing functionality ? Thanks !
... View more