I'd like to disable the default watchlists (default/getwatchlist.conf) as my client's system is air-gapped and instead use some internally sourced lists.
I've looked at the SPEC file for getwatchlist.conf (README/getwatchlist.conf.spec) and there's no mention of a "disabled" setting. Nor is there any refenced to a disabled setting within the command's sourcecode (bin/getwatchlist.py).
The simple workaround is to just delete the default/getwatchlist.conf but my preference would be to have a local/getwatchlist.conf in which I can sets disabled=true for each of the default watchlist stanzas and then add in my own stanzas.
getwatchlist.conf is a configuration only file. Meaning, getwatchlist (the command) won't use the configurations in the file unless a search is crafted to use it. They are "static" and so will not reach out to collect the information unless a saved search, SPL adhoc search, or some other "type of active search" triggers a read from the file. A "disable" option could be done, however, since the configs aren't used unless a search command is run, it doesn't make sense to disable it. It's not actively running unless told to do so via SPL. I hope this clarifies it a bit. Thanks!
getwatchlist.conf is a configuration only file. Meaning, getwatchlist (the command) won't use the configurations in the file unless a search is crafted to use it. They are "static" and so will not reach out to collect the information unless a saved search, SPL adhoc search, or some other "type of active search" triggers a read from the file. A "disable" option could be done, however, since the configs aren't used unless a search command is run, it doesn't make sense to disable it. It's not actively running unless told to do so via SPL. I hope this clarifies it a bit. Thanks!
@aplura_llc_supp , We had used Getwatchlist add-on on on-premise environment. Recently we have migrated to cloud. However, this add-on does not have supporting version for Cloud 8.2X. Is there an add-on that supports this version of cloud?
We are working on a release for Cloud. Stay tuned, thanks!
I saw the URLs referenced in the logs and assumed that it was trying to reach out to them but it was presumably just during initialisation/start-up.
One advantage of having the ability to disable the stanzas would be that I, as the administrator, can prevent someone from even trying to use them as the Splunk environment in question won't be able to connect to them as it's air-gapped.