We've provided some background info to go with the questions as they relate to the Splunk Enterprise Security 4.x app. Thanks!
1. Is it possible to create a correlation search in our company's app? So, will the search trigger properly outside of the Splunk Enterprise Security app in the company's app?
2. We would like to know what is the minimal roles set we can use?
- For calling those Splunk REST KV store APIs, it seems that I have to use the user which has the "admin" role. This may be too demanding - as no Splunk administrator would like easily give out "admin" user credentials.
3. Is there is any caveat for this approach, or any better ones?
- Our company's Splunk_TA addon integrates our Optic source IOC (ip, domain, url) list into Splunk ES' Threat Activity dashboard. On the dashboard's "Threat Group" dropdown menu, you can see our contributed menu items: x_threalist_ip and x_threatlist_domain and x_threatlist_url. When you select any of them, the dashboard will show the threat activity matched events corresponding to the selection. The IOC values of these 3 lists are defined through 3 lookup csv files. This setup can be seen from the two attached conf files.
Whenever the 3 lookup files are updated (sent through our Opticlink), we expect the old IOC values of these 3 lists be completely overwritten by the new values. This was the case for Splunk ES 3.2. But in the current Splunk 4.x, our IOC values are joined in ES' threatlist KV store collections (ip_intel and http_intel collections). The behavior is that new values from the updated csv files do get add to the KV store, but old values from the old csv files would not get removed.
Hey @joshfu let me take a stab at these:
Is it possible to create a correlation search in our company's app? So, will the search trigger properly outside of the Splunk Enterprise Security app in the company's app?
Not totally sure I follow, do you want to create correlation searches that ES can consume or you want to use correlation searches without ES being present, or something totally different? If you just do a copy/paste on the correlation search SPL and run it in your app (assuming your app is installed on an ES SH...which is kinda a no-no), it should just work, as most of the underlying TAs and components are set to export=system for all the knowledge objects. You would get results from the search at that point, but not sure if you plan to do something specific with the results in your app?
We would like to know what is the minimal roles set we can use?
For calling those Splunk REST KV store APIs, it seems that I have to use the user which has the "admin" role. This may be too demanding - as no Splunk administrator would like easily give out "admin" user credentials.
Out of the box you could create an account that is assigned the "splunk-system-role" role. Otherwise I think at minimum you'll need to create a Splunk role that has the "admin_all_objects" capability - which is better, but not by much. Are you making rest calls externally, or is this integration running from within the App? In any case make sure its a unique account and at least you can audit activity by that account.
Is there is any caveat for this approach, or any better ones?
Our company's Splunk_TA addon integrates our Optic source IOC (ip, domain, url) list into Splunk ES' Threat Activity dashboard. On the dashboard's "Threat Group" dropdown menu, you can see our contributed menu items: x_threalist_ip and x_threatlist_domain and x_threatlist_url. When you select any of them, the dashboard will show the threat activity matched events corresponding to the selection. The IOC values of these 3 lists are defined through 3 lookup csv files. This setup can be seen from the two attached conf files.
Whenever the 3 lookup files are updated (sent through our Opticlink), we expect the old IOC values of these 3 lists be completely overwritten by the new values. This was the case for Splunk ES 3.2. But in the current Splunk 4.x, our IOC values are joined in ES' threatlist KV store collections (ip_intel and http_intel collections). The behavior is that new values from the updated csv files do get add to the KV store, but old values from the old csv files would not get removed.
Seems okay to me, generally speaking when the indicators get pushed into KVStore, they should then be deduped for you. It does make the list of indicators rather long over time, but at least there shouldn't be duplicates. Also I didn't see your conf files attached to this thread.
Thanks @kchamplin! Much appreciated
A note regarding minimal roles: you should be able to use roles without admin/admin_all_objects if you add capabilities using the permissions edit page in ES (Configure > General > Permissions). That page will set some low-level permissions to allow non-admins to read and write to things such as KV store collections.