Where are attachments to investigations stored?

Attachments to investigations in Splunk Enterprise Security are stored in the KV Store. The KV Store is a key-value store that allows for the storage of various types of data in a structured form, which is particularly useful for managing rich data like file attachments associated with investigations. By utilizing the KV Store, users can effectively manage, query, and retrieve the data related to attachments in a secure and organized way. This functionality is crucial because investigations often require linking documents, images, or other relevant files that enhance the context and analysis of the security incidents under investigation.

The KV Store provides advantages like scalability, ease of access, and the ability to handle metadata related to attachments, making it the optimal location for storing investigation-related files. Other forms of storage such as the file system, database, or cloud storage lack the specific features and integration that the KV Store provides for investigation management in Splunk.