topic Re: What is a managed app in Splunk Enterprise Security? in Splunk Enterprise Security

What is a managed app in Splunk Enterprise Security?

Lowell — Thu, 03 Nov 2016 21:18:18 GMT

I'm attempting to create a new correlation search in Splunk Enterprise Security (4.1). I've created a blank app to house all the custom searches, but when I pick the app from the "Application Context" drop-down menu, the message "Unmanaged App has been selected" shows up beside my selection.

Anyone know what a "managed app" means in the context of ES?

I made sure to use an app name that gets "imported" into the ES eco system (example: SA-CLIENT-ES-Searches) but that doesn't seem to be what "managed" means.

Re: What is a managed app in Splunk Enterprise Security?

smoir_splunk — Thu, 03 Nov 2016 21:29:31 GMT

Good question, @Lowell. You are likely running into known issue SOLNESS-10022, fixed in 4.1.2 (and therefore also in 4.1.3). (I didn't see the known issue listed in the known issues table for 4.1.1, so I added it there for reference).

Previously we warned on "unmanaged" app selection to warn people that they were selecting an app that wasn't automatically imported into ES. However, we changed the drop-down behavior to make sure that only apps imported into ES displayed, so that messaging was no longer needed.

Re: What is a managed app in Splunk Enterprise Security?

Lowell — Fri, 04 Nov 2016 00:45:16 GMT

Thanks for the reply. Very helpful to know.

So is the error just in a bogus warning (which I'm fine with ignoring) or does it break things too? (Upgrading will take weeks to jump through all the right (corp-imposed) hoops, looking to see if there's a work around that will work now.)

I'm also running into issues where (1) the "App" field is not populated for my custom correlation searches created in SA-CLIENT-ES-Searches, (2) Attempting to edit these correlation search takes me to a "Loading" page that never loads, (3) The correlation searches show up on the "Security Posture" and "Incident Review" pages as "Audit - MY SEARCH - Report" (instead of just "MY SEARCH"), and (4) my custom attributes like notable title and description don't show up on the "Incident Review" page.

Do any of these other issues sound like the same problem that the upgrade will fix, or a symptoms of a permissions issue?

I think all the "import" voodoo is working, but I'm on SHC and and I had to kick it in the head to get them to update properly. But if this sounds like a permissions issue I'll review it all again more carefully.

Re: What is a managed app in Splunk Enterprise Security?

Lowell — Fri, 04 Nov 2016 01:09:56 GMT

If I run | rest splunk_server=local /services/alerts/correlationsearches from the main ES app, I don't see the searches from my custom app.

Doh, I figured it out! Metadata issue on the SA-CLIENT-ES-Searches app. I wasn't exporting. (I forgot that you had to, I was thinking that if your import it, you don't have to export globally, but I guess that's wrong.)

Note that import is STILL not documented on http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Defaultmetaconf

Looks like that has solved most of the issues above, sill seeing the "Audit - * - Report" format name in a few places, but I'm going to give that some time to see if it will go away on it's own (possible cached?). Hopefully the new events will come in properly.

And I'll get the ES upgrade on the list! Thanks!

Re: What is a managed app in Splunk Enterprise Security?

smoir_splunk — Fri, 04 Nov 2016 17:10:26 GMT

Glad everything worked out for you! Would it be worth it to update the docs with a reminder to export the metadata for custom apps that you're importing?

Re: What is a managed app in Splunk Enterprise Security?

Lowell — Fri, 04 Nov 2016 17:33:06 GMT

Yes, that would be helpful! Last night I sent over a request to the docs team about documenting "import" feature on the "default.meta.conf" page as well. Thanks!