Splunk Enterprise Security

SecKit with ES 6.1.1

kbrazil899
New Member

I am trying to configure SecKit with ES 6.1.1 but I am running into an issue with the configuration I am hoping someone has completed this and can shed some light.

Configuration

As an es_admin navigate to Splunk Enterprise Security
From the Configure menu select General
From the General menu select App Imports Update
Click on “update_es”
Append |(SecKit_[ST]A_.*) to the Application Regular Expression`
Click Save

When I go to the General Menu I do not see the option for App imports, I have looked around and have not seeing this at all.

If I skip this step I can run the first search: | inputlookup seckit_idm_network_masks_lookup to validate that results are there.

But when I run the next steps of saved searches I get errors.

Run the search | from savedsearch: "seckit_idm_common_assets_networks_lookup_gen" This one works fine with no issues.

Run the search | from savedsearch: "Identity - Asset String Matches - Lookup Gen"
I get the following error: Error in 'savedsearch' command: Unable to find saved search named 'Identity - Asset CIDR Matches - Lookup Gen'.

Run the search | from savedsearch: "Identity - Asset CIDR Matches - Lookup Gen"
I get the following error: Error in 'savedsearch' command: Unable to find saved search named 'Identity - Asset CIDR Matches - Lookup Gen'.

When I go to look for the searches I can not find them. I have used SecKit in the past and it was awesome I was hoping to get it up and running in Splunk 8 and ES 6.1.1.

I have SecKit_SA_idm_common 3.0.8Rbaf6f27, SecKit_SA_idm_windows 3.0.4Ra988ca6, and SecKit_TA_idm_windows 1.0.3R4bb45a7 all installed.

0 Karma

TedLam
Engager

Hi kbrazil899,

I was having the same issue as you and finally figured out. It looks like you are running ES version 6 and above.

In ES version 6 and above, they retired the saved search for "Identity - Asset String Matches - Lookup Gen" and  "Identity - Asset CIDR Matches - Lookup Gen."

You can find more information here: https://docs.splunk.com/Documentation/ES/6.2.0/Admin/Assetandidentitylookups

Instead of running saved searches, you run lookups for data to merge. You can get more info here in the how to run lookup searches: https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/ConfigureKVstorelookups

For the saved searches above, you can run 

| inputlookup asset_lookup_by_str

| inputlookup asset_lookup_by_cidr

 

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...