Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security: How to backup and version control correlation searches used?

claxpum0n
New Member
‎11-21-2019 10:13 AM

Hey everyone,

I've looked around for a little and but was trying to find out if there was a way to backup and do version control with comments on saved correlation searches.

We have multiple users that have access to our content in ES and wanted to do a well-documented version control/ backup of searches used in correlation search. We are currently doing this via private git instance but wanted to explore possibilities through Splunk.

I've found some guidance using index=_internal from below but didn't get too far working with different source types within the index.

https://answers.splunk.com/answers/525792/is-there-an-audit-log-that-tracks-changes-to-conte.html

Thanks!

Labels (1)
Labels
0 Karma
Reply

gabriel_vasseur
Contributor
‎05-17-2023 02:54 AM

You might like https://splunkbase.splunk.com/app/6895 to track changes to your knowledge objects. It's no effort, doesn't require git or anything else, and works equally well on-prem and in cloud.

And it sounds like you should probably have a look at my ES Choreographer app: https://splunkbase.splunk.com/app/6309 as presented at .conf21 https://conf.splunk.com/files/2021/recordings/SEC1441A.mp4

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎11-21-2019 07:07 PM

Have you looked at the apps for this?

FN1315 - Cover Your Assets: Protect Your Knowledge Objects from Yourself (and Others) - A Paychex st...
Git Version Control for Splunk
VersionControl For Splunk

There are pro's and con's to each solution, the last one is my version. It allows a user to restore via a dashboard but is likely the most complex of the mentioned solutions 🙂

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply

securitypaul
Explorer
‎11-04-2020 02:36 AM

Splunk version 8.1 allows you to comment SPL searches. Maybe you could use that as a way to track changes.

https://www.youtube.com/watch?v=sN03YNKZeBM

https://docs.splunk.com/Documentation/Splunk/8.1.0/Search/Addcommentstosearches

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...