Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Enterprise Security doesn’t recognize eventtypes from custom TA

asohahn_splunk
Splunk Employee
Splunk Employee
‎02-07-2016 12:49 AM

I’ve created a custom TA in order to make it work with Enterprise Security and packaged it with 'TA_foo' deploying it on my Splunk instance.

The eventtypes worked fine on Search & Report app, showing every field mapped with CIM attack and ids but when I change the App context to Enterprise Security it doesn’t seem to show up properly.

All permissions are set to global.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-07-2016 06:30 AM

You really should NOT edit local.meta to achieve importing differently-named TAs that don't match TA-.*. Instead, you should edit the appropriate regex in inputs.conf as documented here: http://docs.splunk.com/Documentation/ES/4.0.1/Install/InstallTechnologyAdd-ons#Import_add-ons_with_a...

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-07-2016 06:30 AM

You really should NOT edit local.meta to achieve importing differently-named TAs that don't match TA-.*. Instead, you should edit the appropriate regex in inputs.conf as documented here: http://docs.splunk.com/Documentation/ES/4.0.1/Install/InstallTechnologyAdd-ons#Import_add-ons_with_a...

Reply
Solved! Jump to solution

asohahn_splunk
Splunk Employee
Splunk Employee
‎02-07-2016 12:56 AM

UPDATE
I'm changing my answer. DON'T DO THIS. As martin and esix pointed out, it's not a good idea to break the standard way of using ES.
Just try to understand why eventtype didn't show up in ES only, since Splunk doesn't tell you exactly why. I guess I should have more focused on explaining the reason.

  • If the eventtype configuration was added in search app then it would have worked because search app is included in the dependency path.
  • If the custom TA name followed the convention like "TA-foo" (instead of TA_foo) then it would have worked because ES will recognize it.

Anyway, always use CIM comparable add-ons and ask for PS if you need any customization.

l'll keep my previous answer below in case somebody might make similar mistakes.

It seems that Enterprise Security has a dependency on it’s apps and add-ons. If you go to $SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite/metadata and open up default.meta file, you’ll see attribute named “import”. This attribute is not documented in default.meta.conf

But it is pretty obvious if you follow the import dependency through ES to DA to SA to TA that your custom add-on, which is a TA, should be added to some SA. For those who don’t now, DA stands for Domain Add-on, SA for Support Add-on and TA for Technology Add-on.

I’ve added my 'TA_foo' in Splunk_SA_CIM by modifying $SPLUNK_HOME/etc/apps/Splunk_SA_CIM/metadata/local.meta like below and how it works fine. (Just add ', TA_foo' at the end of import attribute)

[]
access = read : [ * ], write : [ admin ]
export = system
version = 6.3.1
modtime = 1449612718.015126000
import = DA-ESS-AccessProtection, DA-ESS-EndpointProtection, DA-ESS-IdentityManagement, DA-ESS-NetworkProtection, DA-ESS-ThreatIntelligence, SA-AccessProtection, SA-AuditAndDataProtection, SA-EndpointProtection, SA-IdentityManagement, SA-NetworkProtection, SA-ThreatIntelligence, SA-UEBA, SA-Utils, Splunk_DA-ESS_PCICompliance, Splunk_SA_CIM, Splunk_SA_ExtremeSearch, Splunk_TA_bluecoat-proxysg, Splunk_TA_bro, Splunk_TA_flowfix, Splunk_TA_juniper, Splunk_TA_mcafee, Splunk_TA_nessus, Splunk_TA_nix, Splunk_TA_oracle, Splunk_TA_ossec, Splunk_TA_paloalto, Splunk_TA_sophos, Splunk_TA_sourcefire, Splunk_TA_symantec-ep, Splunk_TA_ueba, Splunk_TA_windows, TA-airdefense, TA-alcatel, TA-cef, TA-fireeye, TA-fortinet, TA-ftp, TA-ncircle, TA-nmap, TA-rsa, TA-tippingpoint, TA-trendmicro, TA-websense, search, TA_foo

Restart Splunk or call https://splunk_host:8000/en_US/debug/refresh to make changes effective.

To check whether ES now recognizes your eventtypes, go to Settings > Event Types and search your eventtype with App context selected to Enterprise Security.

Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎02-07-2016 06:58 AM

I downvoted this post because this is not supported or recommended. see other notes about app import properties for es.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-07-2016 06:30 AM

I downvoted this post because differs from documented, probably breaks when the updater runs.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...