Splunk Enterprise Security

Splunk Enterprise Security doesn’t recognize eventtypes from custom TA

Splunk Employee
Splunk Employee

I’ve created a custom TA in order to make it work with Enterprise Security and packaged it with 'TA_foo' deploying it on my Splunk instance.

The eventtypes worked fine on Search & Report app, showing every field mapped with CIM attack and ids but when I change the App context to Enterprise Security it doesn’t seem to show up properly.

All permissions are set to global.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

You really should NOT edit local.meta to achieve importing differently-named TAs that don't match TA-.*. Instead, you should edit the appropriate regex in inputs.conf as documented here: http://docs.splunk.com/Documentation/ES/4.0.1/Install/InstallTechnologyAdd-ons#Import_add-ons_with_a...

View solution in original post

SplunkTrust
SplunkTrust

You really should NOT edit local.meta to achieve importing differently-named TAs that don't match TA-.*. Instead, you should edit the appropriate regex in inputs.conf as documented here: http://docs.splunk.com/Documentation/ES/4.0.1/Install/InstallTechnologyAdd-ons#Import_add-ons_with_a...

View solution in original post

Splunk Employee
Splunk Employee

UPDATE
I'm changing my answer. DON'T DO THIS. As martin and esix pointed out, it's not a good idea to break the standard way of using ES.
Just try to understand why eventtype didn't show up in ES only, since Splunk doesn't tell you exactly why. I guess I should have more focused on explaining the reason.

  • If the eventtype configuration was added in search app then it would have worked because search app is included in the dependency path.
  • If the custom TA name followed the convention like "TA-foo" (instead of TA_foo) then it would have worked because ES will recognize it.

Anyway, always use CIM comparable add-ons and ask for PS if you need any customization.

l'll keep my previous answer below in case somebody might make similar mistakes.


It seems that Enterprise Security has a dependency on it’s apps and add-ons. If you go to $SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite/metadata and open up default.meta file, you’ll see attribute named “import”. This attribute is not documented in default.meta.conf

But it is pretty obvious if you follow the import dependency through ES to DA to SA to TA that your custom add-on, which is a TA, should be added to some SA. For those who don’t now, DA stands for Domain Add-on, SA for Support Add-on and TA for Technology Add-on.

I’ve added my 'TA_foo' in Splunk_SA_CIM by modifying $SPLUNK_HOME/etc/apps/Splunk_SA_CIM/metadata/local.meta like below and how it works fine. (Just add ', TA_foo' at the end of import attribute)

[]
access = read : [ * ], write : [ admin ]
export = system
version = 6.3.1
modtime = 1449612718.015126000
import = DA-ESS-AccessProtection, DA-ESS-EndpointProtection, DA-ESS-IdentityManagement, DA-ESS-NetworkProtection, DA-ESS-ThreatIntelligence, SA-AccessProtection, SA-AuditAndDataProtection, SA-EndpointProtection, SA-IdentityManagement, SA-NetworkProtection, SA-ThreatIntelligence, SA-UEBA, SA-Utils, Splunk_DA-ESS_PCICompliance, Splunk_SA_CIM, Splunk_SA_ExtremeSearch, Splunk_TA_bluecoat-proxysg, Splunk_TA_bro, Splunk_TA_flowfix, Splunk_TA_juniper, Splunk_TA_mcafee, Splunk_TA_nessus, Splunk_TA_nix, Splunk_TA_oracle, Splunk_TA_ossec, Splunk_TA_paloalto, Splunk_TA_sophos, Splunk_TA_sourcefire, Splunk_TA_symantec-ep, Splunk_TA_ueba, Splunk_TA_windows, TA-airdefense, TA-alcatel, TA-cef, TA-fireeye, TA-fortinet, TA-ftp, TA-ncircle, TA-nmap, TA-rsa, TA-tippingpoint, TA-trendmicro, TA-websense, search, TA_foo

Restart Splunk or call https://splunk_host:8000/en_US/debug/refresh to make changes effective.

To check whether ES now recognizes your eventtypes, go to Settings > Event Types and search your eventtype with App context selected to Enterprise Security.

Splunk Employee
Splunk Employee

I downvoted this post because this is not supported or recommended. see other notes about app import properties for es.

0 Karma

SplunkTrust
SplunkTrust

I downvoted this post because differs from documented, probably breaks when the updater runs.

0 Karma