We noticed that the 6.3.1 version of the Anomali Threatstream App for Splunk ships with a distsearch.conf file. That conf includes a replication whitelist for all json files (see below). Assuming that's still in the latest version, could the developer elaborate on the need for that setting? Because it needs to have a much narrower scope than all json files - like maybe this app's dm json files?
It caused us issues because it effectively whitelisted system/replication/ops.json which absolutely shouldn't be part of the search bundle. That file is updated quite often, which resulted in the bundle being pushed quite often which led to bundle replication errors and ultimately incomplete search results.
[replicationWhitelist] datamodels = .../*.json
We POCed Threatstream and now that you mentioned it I just looked for it to have a look. There is absolutely no good reason to have this path whitelisted in distsearch.conf. Actually, it is quite intruding. I would remove this setting or make it more precise like
.../threatstream/default/data/model/*.json or some such. We had quite a good line of communication into Anomali to make the app work to our liking. Is that not the case anymore once you purchase their product?
I agree, they were great during the POC. But the POC is over, and I don't think I still have access to them (I have to go through our SOC team for contact). I imagine if we buy the product, the service will remain as good.
I probably should have mentioned that it's also in the community app for threatstream that was created a couple years back...i wonder if they just started with that app when they created their own.
Our contact at Anomali responded regarding this app and said that the configuration will be removed in version 6.4 of the app and that it's safe to comment out that line (or as @mghocke mentioned, make it more precise).