icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading SA-Investigator for Enterprise Security
SHA256 checksum (sa-investigator-for-enterprise-security_212.tgz) d3376394c0853320e0d14cd7a4507159044b249470b2ca4b227428cea4d029a4 SHA256 checksum (sa-investigator-for-enterprise-security_200.tgz) f275d71cdf11138e3e8bc42afe440a17a8df351b7341184cfb41bd5670ce2c57 SHA256 checksum (sa-investigator-for-enterprise-security_131.tgz) 425bf5ddcf90fde62a99eaeb532ec04ed92d8c54eef5485eb4de20d767d67538
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

SA-Investigator for Enterprise Security

Splunk AppInspect Passed
Overview
Details
SA-Investigator is an extension that integrates with Splunk Enterprise Security. It provides a set of views based on the asset, identity or file/process values. Tabs for individual data models like malware, network traffic, certificates are set up for easy viewing and allow the analyst to pivot between these views on a entities without having to open multiple dashboards and enter in criteria to start a search. Workflow actions that allow pivoting from Incident Review are also included.

SA-Investigator is an extension built to integrate with Splunk Enterprise Security. It provides a set of views based on the asset, identity or file/process. Rather than searching all data for the asset you are looking for, target your investigation on the asset(s) or identity of interest and then pivot to authentication events or network traffic events that are pertinent to the asset(s) or identity under investigation.

Dependencies

URL Toolbox https://splunkbase.splunk.com/app/2734/ is required for searches to populate a few of the panels within the DNS and Web tabs.
The Alexa (transitioning to the Cisco Umbrella 1M) list is also leveraged but if you are installing with Enterprise Security this will be available.
Enterprise Security is assumed to be installed due to workflow actions and certain drill-downs will take users to Enterprise Security dashboards.

Notes

SA-Investigator does not require population of Asset & Identity Framework to work. However, if multiple values (IP Address, MAC, NT Hostname, Hostname) for assets are stored within ES, all values will be searched when using the asset investigator.

Release Notes 2.1.2

-Added workflow actions to pivot to file/process and hashes from Incident Review
-Fixed File/Process Artifacts drill down - Endpoint - Application State Process Details
-Fixed Sysmon search in hashes to drill down on EventCode 1
-Fixed Network Traffic by App panel to strip out file paths to enable drill downs

Release Notes 2.1

-Added custom messages on each pane when no results are found so that it is immediately apparent that no data is found.
-Added spinning wheel icon so that users have better awareness that searches are still in progress.
-Initial release of the Hash Artifact dashboard so that a hash can be entered in and searched across different data models much like assets, identities and file names.
-Users will need to add the hash artifacts dashboard view to the ES navigation

Release Notes 2.0

-The primary focus of this release was improving speed of search. This version has been tested against 100K assets and 60K user accounts for query performance. The biggest change is the elimination of the subsearches in the panels while retaining the ability to search asset and identity framework values like IP, DNS, NT Hostname and MAC in the case of assets and multiple identities.
-Added new panels and tabs for the Endpoint and Change datamodels (requires CIM 4.12)
-Commented out the Change Analysis and Application State datamodels as they are deprecated with 4.12 - Note that they can be re-enabled if desired.
-Modified identity search to autopopulate escape characters for usernames with a format of domain\username
-Modified the Windows Event Search tab to search specific fields for assets (host,dvc,src and dest) and identity (user) and added the ability to search multiple Windows Event Codes concurrently (comma separated)
-Modified the sourcetype search to search specific fields for assets (host,dvc,src and dest) and identity (user)
-Modified the search panel to generate a multiselect list of sourcetypes to choose from and then search specific fields for assets (host,dvc,src and dest) and identity (user)
-Updated drill-down searches to accomodate refined searches and eliminate subsearches wherever possible
-Added additional drill-down searches and pivots to other ES or SA-Investigator dashboards
-Removed individual time pickers for threat and dns panels
-Removed multi-asset search

Release Notes 1.3

-Added multi-select index search to file investigator
-Added multi-select index search tabs to asset and identity investigator
-Added drill down in Application State Details for raw data for file investigator
-Improved search formatting and output of OSQuery and Sysmon hashes at process creation and added drilldown to events
-Added Web tab to file investigator
-Added Windows Event 4688 Search tab for file investigator
-Added Windows Event Search tab in asset and identity investigators to search against 1:many indexes and a single event code
-Added panels to the asset detail tab that show the likely IP addresses of a hostname based on network traffic information (if applicable). This can be useful if a host name is in the asset table but it does not have a specific IP address mapped to it.
-All tablular results should sort oldest to newest
-Added note reminding everyone to use \ as an escape character for domain\user notation
-Fixed drilldowns for multi-asset searches
-Fixed search associated with DNS and Alexa-1M
-Misc drilldown searches were improved and cleaned up

Release Notes 1.2

-Add Risk Tab to both Asset and Identity and calculate All Time, 30 and 7 Day scores as well as detail and charting.
-Add html link for glass table network topology to be easily added to both asset and identity (requires editing the simple XML for the URL of the glass table)
-Added Search Tab to both Asset and Identity which allows sourcetype counts and full search of all events regardless of the field that the asset value(s) are stored in NOTE-this search can be very expensive if run over a very long time so these have their own time pickers to allow users to pick a specific time frame to search for this data
-Fixed notable event fields not fully populating
-Fixed asset searches to use macro instead of datamodel command to improve search
-Fixed labels to ensure better look and feel with Splunk's new visualization libraries
-Fixed a few line charts that were not formatted correctly

Release Notes 1.1

-Added exclusion lists for Windows Events, domains, services, processes and ports
-Enhance searches in Threat Indicator Tab
-Added multiple asset search capability
-Improved content in endpoint changes tab

Release Notes 1.0

-Initial Release

Release Notes

Version 2.1.2
Oct. 9, 2019

-Added workflow actions to pivot to file/process and hashes from Incident Review
-Fixed File/Process Artifacts drill down - Endpoint - Application State Process Details
-Fixed Sysmon search in hashes to drill down on EventCode 1
-Fixed Network Traffic by App panel to strip out file paths to enable drill downs

This release adds custom messages on each pane when no results are found so that it is immediately apparent that no data is found. A spinning wheel icon is also added particularly for non-TSTATS searches so that the user has better awareness that searches are still in progress. An initial release of a new dashboard, Hash Artifacts is included as well so that a hash can be entered in and searches across different data models much like assets, identities and file names. Finally there are a few bug fixes to address some issues that have been identified. Users will need to add the hash artifacts dashboard view to the ES navigation.

Version 2.0.0
Feb. 9, 2019

The primary focus of this release was improving speed of search. This version has been tested against 100K assets and 60K user accounts for query performance. The biggest change is the elimination of the subsearches in the panels while retaining the ability to search asset and identity framework values like IP, DNS, NT Hostname and MAC in the case of assets and multiple identities.
-Added new panels and tabs for the Endpoint and Change datamodels (requires CIM 4.12)
-Commented out the Change Analysis and Application State datamodels as they are deprecated with 4.12 - Note that they can be re-enabled if desired.
-Modified identity search to autopopulate escape characters for usernames with a format of domain\username
-Modified the Windows Event Search tab to search specific fields for assets (host,dvc,src and dest) and identity (user) and added the ability to search multiple Windows Event Codes concurrently (comma separated)
-A complete list of enhancements can be found in the detail of the app

Version 1.3.1
Oct. 9, 2018

Primary focus of this release was enhancements to file investigator as well as more search functionality to the asset and identity investigators. More info is available in the details section of the app.
-Added multi-select index search to file investigator
-Added multi-select index search tabs to asset and identity investigator
-Added drill down in Application State Details for raw data for file investigator
-Improved search formatting and output of OSQuery and Sysmon hashes at process creation and added drilldown to events
-Added Web tab to file investigator
-Added Windows Event 4688 Search tab for file investigator
-Added Windows Event Search tab in asset and identity investigators to search against 1:many indexes and a single event code
-Added panels to the asset detail tab that show the likely IP addresses of a hostname based on network traffic information (if applicable). This can be useful if a host name is in the asset table but it does not have a specific IP address mapped to it.

986
Installs
3,202
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2019 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.