We've provided some background info to go with the questions as they relate to the Splunk Enterprise Security 4.x app. Thanks!
1. Is it possible to create a correlation search in our company's app? So, will the search trigger properly outside of the Splunk Enterprise Security app in the company's app?
2. We would like to know what is the minimal roles set we can use?
- For calling those Splunk REST KV store APIs, it seems that I have to use the user which has the "admin" role. This may be too demanding - as no Splunk administrator would like easily give out "admin" user credentials.
3. Is there is any caveat for this approach, or any better ones?
- Our company's Splunk_TA addon integrates our Optic source IOC (ip, domain, url) list into Splunk ES' Threat Activity dashboard. On the dashboard's "Threat Group" dropdown menu, you can see our contributed menu items: x_threalist_ip and x_threatlist_domain and x_threatlist_url. When you select any of them, the dashboard will show the threat activity matched events corresponding to the selection. The IOC values of these 3 lists are defined through 3 lookup csv files. This setup can be seen from the two attached conf files.
Whenever the 3 lookup files are updated (sent through our Opticlink), we expect the old IOC values of these 3 lists be completely overwritten by the new values. This was the case for Splunk ES 3.2. But in the current Splunk 4.x, our IOC values are joined in ES' threatlist KV store collections (ip_intel and http_intel collections). The behavior is that new values from the updated csv files do get add to the KV store, but old values from the old csv files would not get removed.
... View more