Alerting

Export all Rules

jillrae
New Member

How do you export all rules from Splunk for an internal audit request?

Labels (1)
Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Print all of the .conf files in $SPLUNK_HOME/etc/* and drop the pages in front of the auditor.  He or she will quickly figure out the wrong question was asked and be more specific about the information sought.

---
If this reply helps you, Karma would be appreciated.
0 Karma

jillrae
New Member

I work on the data analytics team for audit.  Can you help me fill the request possibly by explaining what is wrong with the data request? I want to try to narrow down the data to get the team what they need.  I really appreciate any help I can get with  this. 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Start by asking the team what they need.  "Everything" is a wrong answer.  "All rules" is another wrong answer because, strictly speaking, Splunk doesn't have rules.

A typical audit team has a checklist they use to verify compliance with some standard.  Ask them what artifacts are needed to confirm Splunk complies with each item.

For example, auditors may want to know that you are alerted when a particular event happens.  In that case, show them a screenshot of the configured alert.

Perhaps the audit team wants to verify certain data is scrubbed before it is stored.  Show them the props.conf and transforms.conf settings that do the scrubbing and a query results that show scrubbed data.

---
If this reply helps you, Karma would be appreciated.
0 Karma

PickleRick
SplunkTrust
SplunkTrust

I suppose there is a naming problem somewhere. The OP's organization probably uses splunk to monitor logs and therefore if anyone asks about a SIEM solution, the response is "Splunk".

Since Splunk as such is not your typical SIEM (even with ES it's not a straightforwardly equal solution), the typical question about SIEM rules (and iI suspect that's what it's about) doesn't make much sense.

I'd suggest approaching this question from the functional point of view because otherwise you'll end up dumping all saved searches whereas they only, for example, needed the ones which generate material for your main dashboard or something like that.

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...