Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Migrate ES correlation rules to a custom app

soumyasaha25
Contributor
‎09-15-2021 03:10 AM

I would have to move my custom Correlation rules  to a custom TA-foo app

My correlation searches comprises of:

  1. custom rules created from scratch (all across the apps estate - yup, its a mess) and
  2. a few of the OOB CRs from the DA-ESS-SA-TA-Splunk_SA_Splunk_TA_, and Splunk_DA-ESS_  apps that were modified as per my requirement

Are there any best practices/recommendations that i need to consider other than 

  1.  Add import = TA-foo in local.meta in <Splunk_HOME>/etc/apps/SplunkEnterpriseSecuritySuite/metadata
  2. add request.ui_dispatch_app = SplunkEnterpriseSecuritySuite in savedsearches.conf for each of the Correlation searches that i migrate

PS: I will also migrate the dependant KOs (macros/lookups etc) in a similar fashion to the TA-foo add on.

Is there any other better way to go about it, just to be future safe for upgrades, so that i have a single touchpoint rather than running after optimisations in each app after any activity such as a version upgrade .

Splunk version 7.3.0

ES version 5.3.1

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lakshman239
Influencer
‎09-15-2021 06:20 AM

@soumyasaha25  Normally, if you have access to the UI, You should be able to move/clone the correlation search/knowledge objects  (KO) from one app to another app. This would move all the dependent KO's as well. But if you have a lot to do and have access to conf files, you can copy the contents from diff apps to your new custom app and delete after testing/validation. You don't need to add import in local.meta, as you can make your app's permission to 'global/system'. ES no longer selectively imports app/TA/SA-*.  

You can have dispatch context as ES if you want. 

Test/check splunkd.logs/btool for any errors after migration and restarting the instances.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lakshman239
Influencer
‎09-15-2021 06:20 AM

@soumyasaha25  Normally, if you have access to the UI, You should be able to move/clone the correlation search/knowledge objects  (KO) from one app to another app. This would move all the dependent KO's as well. But if you have a lot to do and have access to conf files, you can copy the contents from diff apps to your new custom app and delete after testing/validation. You don't need to add import in local.meta, as you can make your app's permission to 'global/system'. ES no longer selectively imports app/TA/SA-*.  

You can have dispatch context as ES if you want. 

Test/check splunkd.logs/btool for any errors after migration and restarting the instances.

0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...