I am trying to configure SecKit with ES 6.1.1 but I am running into an issue with the configuration I am hoping someone has completed this and can shed some light.
Configuration
As an es_admin navigate to Splunk Enterprise Security
From the Configure menu select General
From the General menu select App Imports Update
Click on “update_es”
Append |(SecKit_[ST]A_.*) to the Application Regular Expression`
Click Save
When I go to the General Menu I do not see the option for App imports, I have looked around and have not seeing this at all.
If I skip this step I can run the first search: | inputlookup seckit_idm_network_masks_lookup to validate that results are there.
But when I run the next steps of saved searches I get errors.
Run the search | from savedsearch: "seckit_idm_common_assets_networks_lookup_gen" This one works fine with no issues.
Run the search | from savedsearch: "Identity - Asset String Matches - Lookup Gen"
I get the following error: Error in 'savedsearch' command: Unable to find saved search named 'Identity - Asset CIDR Matches - Lookup Gen'.
Run the search | from savedsearch: "Identity - Asset CIDR Matches - Lookup Gen"
I get the following error: Error in 'savedsearch' command: Unable to find saved search named 'Identity - Asset CIDR Matches - Lookup Gen'.
When I go to look for the searches I can not find them. I have used SecKit in the past and it was awesome I was hoping to get it up and running in Splunk 8 and ES 6.1.1.
I have SecKit_SA_idm_common 3.0.8Rbaf6f27, SecKit_SA_idm_windows 3.0.4Ra988ca6, and SecKit_TA_idm_windows 1.0.3R4bb45a7 all installed.
... View more