Splunk Enterprise Security

Migrate ES correlation rules to a custom app

soumyasaha25
Contributor

I would have to move my custom Correlation rules  to a custom TA-foo app

My correlation searches comprises of:

  1. custom rules created from scratch (all across the apps estate - yup, its a mess) and
  2. a few of the OOB CRs from the DA-ESS-SA-TA-Splunk_SA_Splunk_TA_, and Splunk_DA-ESS_  apps that were modified as per my requirement

Are there any best practices/recommendations that i need to consider other than 

  1.  Add import = TA-foo in local.meta in <Splunk_HOME>/etc/apps/SplunkEnterpriseSecuritySuite/metadata
  2. add request.ui_dispatch_app = SplunkEnterpriseSecuritySuite in savedsearches.conf for each of the Correlation searches that i migrate

PS: I will also migrate the dependant KOs (macros/lookups etc) in a similar fashion to the TA-foo add on.

Is there any other better way to go about it, just to be future safe for upgrades, so that i have a single touchpoint rather than running after optimisations in each app after any activity such as a version upgrade .

Splunk version 7.3.0

ES version 5.3.1

Labels (2)
0 Karma
1 Solution

lakshman239
SplunkTrust
SplunkTrust

@soumyasaha25  Normally, if you have access to the UI, You should be able to move/clone the correlation search/knowledge objects  (KO) from one app to another app. This would move all the dependent KO's as well. But if you have a lot to do and have access to conf files, you can copy the contents from diff apps to your new custom app and delete after testing/validation. You don't need to add import in local.meta, as you can make your app's permission to 'global/system'. ES no longer selectively imports app/TA/SA-*.  

You can have dispatch context as ES if you want. 

Test/check splunkd.logs/btool for any errors after migration and restarting the instances.

View solution in original post

0 Karma

lakshman239
SplunkTrust
SplunkTrust

@soumyasaha25  Normally, if you have access to the UI, You should be able to move/clone the correlation search/knowledge objects  (KO) from one app to another app. This would move all the dependent KO's as well. But if you have a lot to do and have access to conf files, you can copy the contents from diff apps to your new custom app and delete after testing/validation. You don't need to add import in local.meta, as you can make your app's permission to 'global/system'. ES no longer selectively imports app/TA/SA-*.  

You can have dispatch context as ES if you want. 

Test/check splunkd.logs/btool for any errors after migration and restarting the instances.

0 Karma
Get Updates on the Splunk Community!

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...

New Splunk APM Enhancements Help Troubleshoot Your MySQL and NoSQL Databases Faster

Splunk Observability has two new enhancements to make it quicker and easier to troubleshoot slow or frequently ...