- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Splunk ES 4.5 - How do we track removed 'investiga...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I understand we can use the following to look at the investigations created which are 'Active'.
|inputlookup append=t investigative_canvas_lookup
|inputlookup append=t investigative_canvas_entries_lookup
How to audit/track 'removed' investigations by an analyst? The info in _audit index logs seems to not capture 'delete/remove investigations'. Any pointers/help would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thx luke and looking for a solution in near future
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We don't currently have sufficient audit trail info for this case. We have an enhancement request to do this. For reference, the enhancement request number is SOLNESS-10790.
I'll try to remember to post back here once this gets done.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thx Luke. How about for items 2 and 3 above. Just curious
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good question.
That enhancement request is not just to increase auditing for item 1 but to make sure we log thoroughly (which should include all three plus other actions). Our goal is to make it where any change to an investigation is logged.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any update on request SOLNESS-10790?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thx Luke. Looking for the 1st one mainly
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For clarification, which were you wanting to track:
- Deleted investigations
- Notables removed from investigations
- Records of notables that were deleted that had been associated with an investigation
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have run this same search, but I get no results even tho i have investigations in journal created. how would I create such a list of all journal entries?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Item 1 above pls
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
