security

SA-Investigator is an extension that integrates with Splunk Enterprise Security.  It provides a set of views based on the asset, identity or file/process values.  Tabs for individual data models like malware, network traffic, certificates are set up for easy viewing and allow the analyst to pivot between these views on a specific entity without having to open multiple dashboards and enter in criteria to start a search.  Workflow actions that allow pivoting from Incident Review are also included.

NOTE: If you modify any of the five investigators (views), any modifications will be written to the local directory. Upgrades will NOT overwrite the local directory so if you are upgrading, the local views will need to be deleted. To ensure you do not lost any customizations, please backup your local directory views prior to upgrading and then apply your modifications after upgrade.