Splunk Enterprise Security

SecKit with ES 6.1.1

kbrazil899
New Member

I am trying to configure SecKit with ES 6.1.1 but I am running into an issue with the configuration I am hoping someone has completed this and can shed some light.

Configuration

As an es_admin navigate to Splunk Enterprise Security
From the Configure menu select General
From the General menu select App Imports Update
Click on “update_es”
Append |(SecKit_[ST]A_.*) to the Application Regular Expression`
Click Save

When I go to the General Menu I do not see the option for App imports, I have looked around and have not seeing this at all.

If I skip this step I can run the first search: | inputlookup seckit_idm_network_masks_lookup to validate that results are there.

But when I run the next steps of saved searches I get errors.

Run the search | from savedsearch: "seckit_idm_common_assets_networks_lookup_gen" This one works fine with no issues.

Run the search | from savedsearch: "Identity - Asset String Matches - Lookup Gen"
I get the following error: Error in 'savedsearch' command: Unable to find saved search named 'Identity - Asset CIDR Matches - Lookup Gen'.

Run the search | from savedsearch: "Identity - Asset CIDR Matches - Lookup Gen"
I get the following error: Error in 'savedsearch' command: Unable to find saved search named 'Identity - Asset CIDR Matches - Lookup Gen'.

When I go to look for the searches I can not find them. I have used SecKit in the past and it was awesome I was hoping to get it up and running in Splunk 8 and ES 6.1.1.

I have SecKit_SA_idm_common 3.0.8Rbaf6f27, SecKit_SA_idm_windows 3.0.4Ra988ca6, and SecKit_TA_idm_windows 1.0.3R4bb45a7 all installed.

0 Karma

TedLam
Engager

Hi kbrazil899,

I was having the same issue as you and finally figured out. It looks like you are running ES version 6 and above.

In ES version 6 and above, they retired the saved search for "Identity - Asset String Matches - Lookup Gen" and  "Identity - Asset CIDR Matches - Lookup Gen."

You can find more information here: https://docs.splunk.com/Documentation/ES/6.2.0/Admin/Assetandidentitylookups

Instead of running saved searches, you run lookups for data to merge. You can get more info here in the how to run lookup searches: https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/ConfigureKVstorelookups

For the saved searches above, you can run 

| inputlookup asset_lookup_by_str

| inputlookup asset_lookup_by_cidr

 

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!