Splunk Enterprise Security

Migrate ES correlation rules to a custom app

soumyasaha25
Contributor

I would have to move my custom Correlation rules  to a custom TA-foo app

My correlation searches comprises of:

  1. custom rules created from scratch (all across the apps estate - yup, its a mess) and
  2. a few of the OOB CRs from the DA-ESS-SA-TA-Splunk_SA_Splunk_TA_, and Splunk_DA-ESS_  apps that were modified as per my requirement

Are there any best practices/recommendations that i need to consider other than 

  1.  Add import = TA-foo in local.meta in <Splunk_HOME>/etc/apps/SplunkEnterpriseSecuritySuite/metadata
  2. add request.ui_dispatch_app = SplunkEnterpriseSecuritySuite in savedsearches.conf for each of the Correlation searches that i migrate

PS: I will also migrate the dependant KOs (macros/lookups etc) in a similar fashion to the TA-foo add on.

Is there any other better way to go about it, just to be future safe for upgrades, so that i have a single touchpoint rather than running after optimisations in each app after any activity such as a version upgrade .

Splunk version 7.3.0

ES version 5.3.1

Labels (2)
0 Karma
1 Solution

lakshman239
Influencer

@soumyasaha25  Normally, if you have access to the UI, You should be able to move/clone the correlation search/knowledge objects  (KO) from one app to another app. This would move all the dependent KO's as well. But if you have a lot to do and have access to conf files, you can copy the contents from diff apps to your new custom app and delete after testing/validation. You don't need to add import in local.meta, as you can make your app's permission to 'global/system'. ES no longer selectively imports app/TA/SA-*.  

You can have dispatch context as ES if you want. 

Test/check splunkd.logs/btool for any errors after migration and restarting the instances.

View solution in original post

0 Karma

lakshman239
Influencer

@soumyasaha25  Normally, if you have access to the UI, You should be able to move/clone the correlation search/knowledge objects  (KO) from one app to another app. This would move all the dependent KO's as well. But if you have a lot to do and have access to conf files, you can copy the contents from diff apps to your new custom app and delete after testing/validation. You don't need to add import in local.meta, as you can make your app's permission to 'global/system'. ES no longer selectively imports app/TA/SA-*.  

You can have dispatch context as ES if you want. 

Test/check splunkd.logs/btool for any errors after migration and restarting the instances.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...