Splunk Enterprise Security

Splunk ES 4.5 - How do we track removed 'investigations' created against a notable event?

lakshman239
SplunkTrust
SplunkTrust

I understand we can use the following to look at the investigations created which are 'Active'.

|inputlookup append=t investigative_canvas_lookup
|inputlookup append=t investigative_canvas_entries_lookup

How to audit/track 'removed' investigations by an analyst? The info in _audit index logs seems to not capture 'delete/remove investigations'. Any pointers/help would be appreciated.

0 Karma
1 Solution

lakshman239
SplunkTrust
SplunkTrust

Thx Luke. Looking for the 1st one mainly

View solution in original post

0 Karma

lakshman239
SplunkTrust
SplunkTrust

Thx luke and looking for a solution in near future

0 Karma

LukeMurphey
Champion

We don't currently have sufficient audit trail info for this case. We have an enhancement request to do this. For reference, the enhancement request number is SOLNESS-10790.

I'll try to remember to post back here once this gets done.

lakshman239
SplunkTrust
SplunkTrust

Thx Luke. How about for items 2 and 3 above. Just curious

0 Karma

LukeMurphey
Champion

Good question.

That enhancement request is not just to increase auditing for item 1 but to make sure we log thoroughly (which should include all three plus other actions). Our goal is to make it where any change to an investigation is logged.

0 Karma

DEAD_BEEF
Builder

Any update on request SOLNESS-10790?

0 Karma

lakshman239
SplunkTrust
SplunkTrust

Thx Luke. Looking for the 1st one mainly

0 Karma

LukeMurphey
Champion

For clarification, which were you wanting to track:

  1. Deleted investigations
  2. Notables removed from investigations
  3. Records of notables that were deleted that had been associated with an investigation
0 Karma

gonz0
New Member

I have run this same search, but I get no results even tho i have investigations in journal created. how would I create such a list of all journal entries?

0 Karma

lakshman239
SplunkTrust
SplunkTrust

Item 1 above pls

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...