To exclude a search from your action history, use the Action History Search Tracking Allowlist lookup. If you change these saved searches, action history items might fail to appear in your action history. View the searches by navigating to Configure > Content > Content Management and using the filters on the page. When an analyst selects a type of action history to add to an investigation, one of five searches run over the selected time range. Troubleshoot investigation action history items So to restore, you may need to restore investigation, investigation_attachment, investigation_event, investigation_lead, investigative_canvas, and investigative_canvas_leads. Those collections are preserved in version 4.6.0 but the contents are added to the new investigation KV Store collections. Investigation details from investigations created in versions earlier than 4.6.0 of Splunk Enterprise Security are stored in two KV Store collections, investigative_canvas and investigative_canvas_entries. See Investigations in the Dashboard requirements matrix for Splunk Enterprise Security. The investigations on the Investigations page, items added to the investigation, attachments added to notes on the investigation, and artifacts added to the investigation workbench each have their own collection. Stores investigation information in several KV Store collections. For details about using the KV Store API endpoint, see KV Store endpoint descriptions in the Splunk Enterprise REST API Reference Manual. Only users with the admin role can view or modify the KV store collections using the KV Store API endpoint. You cannot view the investigation KV Store collections as lookups. See Make changes to the collaborators on an investigation in Use Splunk Enterprise Security.Īfter a user creates an investigation, any user with the Manage All Investigations capability can view the investigation, but only the collaborators on the investigation can edit the investigation. By default, all collaborators have write permissions for the investigations to which they are added, but other collaborators on the timeline can change those permissions to read-only. You can manage who can make changes to an investigation by setting write permissions for collaborators on a specific investigation. See Configure users and and roles in the Installation and Upgrade Manual. To allow other users to manage, view, and delete all investigations, add the Manage All Investigations capability to their role.Users can only make changes on investigations on which they are a collaborator. To allow other users to create or edit an investigation, add the Manage Your Investigations capability to their role.Make changes to capabilities with the Permissions dashboard. Users with the ess_analyst role can create and edit investigations. Users with the ess_admin role can create, view, and manage investigations by default. Manage investigations in Splunk Enterprise SecurityĪs an Enterprise Security administrator, you can manage access to security investigations, and support analysts by troubleshooting problems with their action history.įor more information about the analyst investigation workflow, see Investigations in Splunk Enterprise Security in Use Splunk Enterprise Security.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |