Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Enterprise Security: How to backup and version control correlation searches used?

claxpum0n
New Member
‎11-21-2019 10:13 AM

Hey everyone,

I've looked around for a little and but was trying to find out if there was a way to backup and do version control with comments on saved correlation searches.

We have multiple users that have access to our content in ES and wanted to do a well-documented version control/ backup of searches used in correlation search. We are currently doing this via private git instance but wanted to explore possibilities through Splunk.

I've found some guidance using index=_internal from below but didn't get too far working with different source types within the index.

https://answers.splunk.com/answers/525792/is-there-an-audit-log-that-tracks-changes-to-conte.html

Thanks!

0 Karma
Reply

gabriel_vasseur
Contributor
‎05-17-2023 02:54 AM

You might like https://splunkbase.splunk.com/app/6895 to track changes to your knowledge objects. It's no effort, doesn't require git or anything else, and works equally well on-prem and in cloud.

And it sounds like you should probably have a look at my ES Choreographer app: https://splunkbase.splunk.com/app/6309 as presented at .conf21 https://conf.splunk.com/files/2021/recordings/SEC1441A.mp4

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎11-21-2019 07:07 PM

Have you looked at the apps for this?

FN1315 - Cover Your Assets: Protect Your Knowledge Objects from Yourself (and Others) - A Paychex st...
Git Version Control for Splunk
VersionControl For Splunk

There are pro's and con's to each solution, the last one is my version. It allows a user to restore via a dashboard but is likely the most complex of the mentioned solutions 🙂

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply

securitypaul
Explorer
‎11-04-2020 02:36 AM

Splunk version 8.1 allows you to comment SPL searches. Maybe you could use that as a way to track changes.

https://www.youtube.com/watch?v=sN03YNKZeBM

https://docs.splunk.com/Documentation/Splunk/8.1.0/Search/Addcommentstosearches

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...