Added drill down from File/Process Artifacts to Hash Artifacts Fixed an issue where the tabs in javascript weren't loading with version 7.3.3 and newer Release Notes 2.2.0 Improved file name and file hash searches Release Notes 2.2.2 Improved asset search to improve ease of use and increase performance Fixed drill-downs for Endpoint tab to provide greater specificity This is an initial foray and will continue to expand in future releases. Initial datamodels used are Email, Network Resolution, Network Traffic and Endpoint.Processes. Added a dashboard for hunting indicators historically. Revised hunting indicators dashboard to include more datamodels
#FILE HASH CALCULATOR WINDOWS SPLUNK SUPPORT WINDOWS#
Update 4688 Process Command Line and Account Name fields to accommodate changes in Windows TA. Update threat intel searches to accommodate new threat generating searches introduced in ES 6.4 Added wildcard support for file hash panels to be more forgiving for TAs that concatenate multiple hashes into a single hash field Added support for RenderXML=1 in Windows Event and Sysmon TAs Updated dashboards for jQuery 3.5 support Removed glass table button on all screens as this has been deprecated in ES 6.6.x and later - currently commented out. Modified file hash search to use Endpoint DM Added additional authentication fields to Authentication by User for more context Added drilldowns to numerous panels that previously didn't with specific cell drilldowns that are called out in the search panel Added parent process panel to file/process dashboard under endpoint with filters for dest and user as well as a pivot on the process_name for better search-ability of spawned processes. Added drilldowns to tabular endpoint panels that pivot to the identity investigator when user is clicked on, asset investigator when src or dest is clicked on, file/process investigator when process_exec, process_name or parent_process_exec is clicked on. Added text/checkbox filters to many tabular panels to filter search results including Endpoint, Authentication, DNS, Web and Certificates However, if multiple values (IP Address, MAC, NT Hostname, Hostname) for assets are stored within ES, all values will be searched when using the asset investigator. SA-Investigator does not require population of Asset & Identity Framework to work. The Alexa (transitioning to the Cisco Umbrella 1M) list is also leveraged but if you are installing with Enterprise Security this will be available.Įnterprise Security is assumed to be installed due to workflow actions and certain drill-downs will take users to Enterprise Security dashboards. URL Toolbox is required for searches to populate a few of the panels within the DNS and Web tabs.
Rather than searching all data for the asset you are looking for, target your investigation on the asset(s) or identity of interest and then pivot to authentication events or network traffic events that are pertinent to the asset(s) or identity under investigation.
It provides a set of views based on the asset, identity or file/process. SA-Investigator is an extension built to integrate with Splunk Enterprise Security.
0 kommentar(er)
