All Apps and Add-ons

Why is distsearch.conf whitelisting all json files in the Anomali ThreatStream App?

maciep
Champion

We noticed that the 6.3.1 version of the Anomali Threatstream App for Splunk ships with a distsearch.conf file. That conf includes a replication whitelist for all json files (see below). Assuming that's still in the latest version, could the developer elaborate on the need for that setting? Because it needs to have a much narrower scope than all json files - like maybe this app's dm json files?

It caused us issues because it effectively whitelisted system/replication/ops.json which absolutely shouldn't be part of the search bundle. That file is updated quite often, which resulted in the bundle being pushed quite often which led to bundle replication errors and ultimately incomplete search results.

[replicationWhitelist]
datamodels = .../*.json
1 Solution

josh_hart_oath
Explorer

@maciep,

We're reaching out to the vendor today on that, since we've got a vested interest.

Josh

View solution in original post

mghocke
Path Finder

We POCed Threatstream and now that you mentioned it I just looked for it to have a look. There is absolutely no good reason to have this path whitelisted in distsearch.conf. Actually, it is quite intruding. I would remove this setting or make it more precise like
.../threatstream/default/data/model/*.json or some such. We had quite a good line of communication into Anomali to make the app work to our liking. Is that not the case anymore once you purchase their product?

maciep
Champion

I agree, they were great during the POC. But the POC is over, and I don't think I still have access to them (I have to go through our SOC team for contact). I imagine if we buy the product, the service will remain as good.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

If its not needed on the Indexers, there is no need for whitelist and sending them there.

0 Karma

maciep
Champion

I probably should have mentioned that it's also in the community app for threatstream that was created a couple years back...i wonder if they just started with that app when they created their own.

0 Karma

josh_hart_oath
Explorer

@maciep,

We're reaching out to the vendor today on that, since we've got a vested interest.

Josh

josh_hart_oath
Explorer

Our contact at Anomali responded regarding this app and said that the configuration will be removed in version 6.4 of the app and that it's safe to comment out that line (or as @mghocke mentioned, make it more precise).

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...