All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is distsearch.conf whitelisting all json files in the Anomali ThreatStream App?

maciep
Champion
‎02-25-2019 10:55 AM

We noticed that the 6.3.1 version of the Anomali Threatstream App for Splunk ships with a distsearch.conf file. That conf includes a replication whitelist for all json files (see below). Assuming that's still in the latest version, could the developer elaborate on the need for that setting? Because it needs to have a much narrower scope than all json files - like maybe this app's dm json files?

It caused us issues because it effectively whitelisted system/replication/ops.json which absolutely shouldn't be part of the search bundle. That file is updated quite often, which resulted in the bundle being pushed quite often which led to bundle replication errors and ultimately incomplete search results.

[replicationWhitelist]
datamodels = .../*.json
Reply
1 Solution
Solved! Jump to solution
Solution

josh_hart_oath
Explorer
‎02-25-2019 11:26 AM

@maciep,

We're reaching out to the vendor today on that, since we've got a vested interest.

Josh

View solution in original post

Reply
Solved! Jump to solution

mghocke
Path Finder
‎02-25-2019 09:40 PM

We POCed Threatstream and now that you mentioned it I just looked for it to have a look. There is absolutely no good reason to have this path whitelisted in distsearch.conf. Actually, it is quite intruding. I would remove this setting or make it more precise like
.../threatstream/default/data/model/*.json or some such. We had quite a good line of communication into Anomali to make the app work to our liking. Is that not the case anymore once you purchase their product?

Reply
Solved! Jump to solution

maciep
Champion
‎02-26-2019 04:24 AM

I agree, they were great during the POC. But the POC is over, and I don't think I still have access to them (I have to go through our SOC team for contact). I imagine if we buy the product, the service will remain as good.

0 Karma
Reply
Solved! Jump to solution

lakshman239
Influencer
‎02-26-2019 04:31 AM

If its not needed on the Indexers, there is no need for whitelist and sending them there.

0 Karma
Reply
Solved! Jump to solution

maciep
Champion
‎02-26-2019 04:41 AM

I probably should have mentioned that it's also in the community app for threatstream that was created a couple years back...i wonder if they just started with that app when they created their own.

0 Karma
Reply
Solved! Jump to solution
Solution

josh_hart_oath
Explorer
‎02-25-2019 11:26 AM

@maciep,

We're reaching out to the vendor today on that, since we've got a vested interest.

Josh

Reply
Solved! Jump to solution

josh_hart_oath
Explorer
‎02-28-2019 04:43 AM

Our contact at Anomali responded regarding this app and said that the configuration will be removed in version 6.4 of the app and that it's safe to comment out that line (or as @mghocke mentioned, make it more precise).

0 Karma
Reply
Get Updates on the Splunk Community!

Holistic Visibility and Effective Alerting Across IT and OT Assets

Instead of effective and unified solutions, they’re left with tool fatigue, disjointed alerts and siloed ...

SOC Modernization: How Automation and Splunk SOAR are Shaping the Next-Gen Security ...

Security automation is no longer a luxury but a necessity. Join us to learn how Splunk ES and SOAR empower ...

Ask It, Fix It: Faster Investigations with AI Assistant in Observability Cloud

  Join us in this Tech Talk and learn about the recently launched AI Assistant in Observability Cloud. With ...
Top