Added drilldowns to tabular endpoint panels that pivot to the identity investigator when user is clicked on, asset investigator when src or dest is clicked on, file/process investigator when process_exec, process_name or parent_process_exec is clicked on. Added text/checkbox filters to many tabular panels to filter search results including Endpoint, Authentication, DNS, Web and Certificates However, if multiple values (IP Address, MAC, NT Hostname, Hostname) for assets are stored within ES, all values will be searched when using the asset investigator. SA-Investigator does not require population of Asset & Identity Framework to work. The Alexa (transitioning to the Cisco Umbrella 1M) list is also leveraged but if you are installing with Enterprise Security this will be available.Įnterprise Security is assumed to be installed due to workflow actions and certain drill-downs will take users to Enterprise Security dashboards. URL Toolbox is required for searches to populate a few of the panels within the DNS and Web tabs. Rather than searching all data for the asset you are looking for, target your investigation on the asset(s) or identity of interest and then pivot to authentication events or network traffic events that are pertinent to the asset(s) or identity under investigation.
It provides a set of views based on the asset, identity or file/process. SA-Investigator is an extension built to integrate with Splunk Enterprise Security.