Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Migrate ES correlation rules to a custom app

soumyasaha25
Contributor
‎09-15-2021 03:10 AM

I would have to move my custom Correlation rules  to a custom TA-foo app

My correlation searches comprises of:

  1. custom rules created from scratch (all across the apps estate - yup, its a mess) and
  2. a few of the OOB CRs from the DA-ESS-SA-TA-Splunk_SA_Splunk_TA_, and Splunk_DA-ESS_  apps that were modified as per my requirement

Are there any best practices/recommendations that i need to consider other than 

  1.  Add import = TA-foo in local.meta in <Splunk_HOME>/etc/apps/SplunkEnterpriseSecuritySuite/metadata
  2. add request.ui_dispatch_app = SplunkEnterpriseSecuritySuite in savedsearches.conf for each of the Correlation searches that i migrate

PS: I will also migrate the dependant KOs (macros/lookups etc) in a similar fashion to the TA-foo add on.

Is there any other better way to go about it, just to be future safe for upgrades, so that i have a single touchpoint rather than running after optimisations in each app after any activity such as a version upgrade .

Splunk version 7.3.0

ES version 5.3.1

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lakshman239
Influencer
‎09-15-2021 06:20 AM

@soumyasaha25  Normally, if you have access to the UI, You should be able to move/clone the correlation search/knowledge objects  (KO) from one app to another app. This would move all the dependent KO's as well. But if you have a lot to do and have access to conf files, you can copy the contents from diff apps to your new custom app and delete after testing/validation. You don't need to add import in local.meta, as you can make your app's permission to 'global/system'. ES no longer selectively imports app/TA/SA-*.  

You can have dispatch context as ES if you want. 

Test/check splunkd.logs/btool for any errors after migration and restarting the instances.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lakshman239
Influencer
‎09-15-2021 06:20 AM

@soumyasaha25  Normally, if you have access to the UI, You should be able to move/clone the correlation search/knowledge objects  (KO) from one app to another app. This would move all the dependent KO's as well. But if you have a lot to do and have access to conf files, you can copy the contents from diff apps to your new custom app and delete after testing/validation. You don't need to add import in local.meta, as you can make your app's permission to 'global/system'. ES no longer selectively imports app/TA/SA-*.  

You can have dispatch context as ES if you want. 

Test/check splunkd.logs/btool for any errors after migration and restarting the instances.

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...
Top