Splunk Enterprise Security

Splunk Enterprise Security: How to backup and version control correlation searches used

claxpum0n
New Member

Hey everyone,

I've looked around for a little and but was trying to find out if there was a way to backup and do version control with comments on saved correlation searches.

We have multiple users that have access to our content in ES and wanted to do a well-documented version control/ backup of searches used in correlation search. We are currently doing this via private git instance but wanted to explore possibilities through Splunk.

I've found some guidance using index=_internal from below but didn't get too far working with different source types within the index.

https://answers.splunk.com/answers/525792/is-there-an-audit-log-that-tracks-changes-to-conte.html

Thanks!

0 Karma

gjanders
SplunkTrust
SplunkTrust

Have you looked at the apps for this?

FN1315 - Cover Your Assets: Protect Your Knowledge Objects from Yourself (and Others) - A Paychex st...
Git Version Control for Splunk
VersionControl For Splunk

There are pro's and con's to each solution, the last one is my version. It allows a user to restore via a dashboard but is likely the most complex of the mentioned solutions 🙂

Alerts for Splunk Admins https://splunkbase.splunk.com/app/3796/
Version Control for Splunk https://splunkbase.splunk.com/app/4355/

securitypaul
Explorer

Splunk version 8.1 allows you to comment SPL searches. Maybe you could use that as a way to track changes.

https://www.youtube.com/watch?v=sN03YNKZeBM

https://docs.splunk.com/Documentation/Splunk/8.1.0/Search/Addcommentstosearches

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!