Solved: Splunk App for Enterprise Security: After disablin...

Chubbybunny · ‎03-11-2015

I've disabled the Google search feature in ./SA-ThreatIntelligence/local/workflow_actions.conf and confirmed it is no longer a selectable feature in the ES Search UI and throughout, however, I still see it as an available option in the IR DB (Incident Review dashboard). Am I missing another conf file or setting outside of workflow?

current settings:

./SA-ThreatIntelligence/local/workflow_actions.conf
    [Google]
    disabled = True
    display_location = field_menu
    fields = *
    label = Google $@field_value$
    link.method = get
    link.uri = http://www.google.com/search?q=$@field_value$
    type = link

Chubbybunny · ‎03-11-2015

This is a bug in ES 3.2.1, reported in SOLNESS-6376

Workaround: remove the asterisk in the 'fields' setting and replace it with random text.

./SA-ThreatIntelligence/local/workflow_actions.conf
[Google]
disabled = True
display_location = field_menu
fields = XXXXXXXX
label = Google $@field_value$
link.method = get
link.uri = http://www.google.com/search?q=$@field_value$
type = link

save the changes and restart splunkd

View solution in original post

Chubbybunny · ‎03-11-2015

This is a bug in ES 3.2.1, reported in SOLNESS-6376

Workaround: remove the asterisk in the 'fields' setting and replace it with random text.

./SA-ThreatIntelligence/local/workflow_actions.conf
[Google]
disabled = True
display_location = field_menu
fields = XXXXXXXX
label = Google $@field_value$
link.method = get
link.uri = http://www.google.com/search?q=$@field_value$
type = link

save the changes and restart splunkd

Splunk App for Enterprise Security: After disabling the Google search feature, why is it still an available option in the Incident Review dashboard?

Splunk Classroom Chronicles: Training Tales and Testimonials

Access Tokens Page - New & Improved

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!