# Extreme Rules ## Installation 1. The latest build can be downloaded from https://scianta.com/products/download-software/ 1. Choose the file download `XR - Extreme Rules` 1. On the Splunk Search Head transfer the file (SCM-Framwork) xr_linux.tar to the SH and use the Splunk CLI to install the app 1. You may need to give the splunk user access to the file such as `chmod o+r xr_linux.tar` 1. Ensure the XR components are installed on the associated Indexers as noted in https://jira.xdr.accenturefederalcyber.com/browse/MSOCI-1833 ## Setup Extreme Rules 1. Enter the Splunk SH 1. Go into the app `Extreme Rules` 1. Use the following configuration values for the App Setup Page ``` Data Store Configuration: Stand Alone Mongo Host: 127.0.0.1 Mongo Port: 27020 Password: Create a password and store in XDR Vault for records UNCHECK: Create Indexes as these were made by XDR Engineering during Installation above ``` 1. Once the App Setup actions commplete create the following directory on the Splunk Search Head as the splunk system user ``` mkdir /opt/splunk/etc/apps/SCM-Framework/scm/exports ``` ## Base Context Setup Content Team has to export the "live" Context and Models from XR on Caasp This can manually be done from inside Splunk like the following. Keep in there may be more rule packages to process. ``` | xmExportRules RULE_PACKAGE XDRAuthFailureAbusiveSrc VERSION 2 APPLICATION XR | xmExportRules RULE_PACKAGE XDRXRSignalASNVolume VERSION 2 APPLICATION XR ``` However XR app packs are built with scheduled jobs to backup the file from the local SH mongo nightly to local disk. Example: DA-ESS-AFS-XDR-XR-AuthenticationSecurity Searches: `XDR - XR XDRAuthFailureAbusiveSrc - Backup` and `XDR - XR XDRXRSignalASNVolume - Backup` 1. The various json files need to be collected and copied to the new or restored search head if XR is missing. 1. Copy the files into place as the Splunk user ``` Once SCP to the SH make sure Splunk can read them chmod o+r *.json mv *.json /tmp sudo -iu splunk cp /tmp/*.json /opt/splunk/etc/apps/SCM-Framework/scm/exports/ ``` 1. Import the rule packages from the json files into the XR app in Splunk. This populates Mongo. ``` | xmImportRules APPLICATION XR VERSION 2 FILE /opt/splunk/etc/apps/SCM-Framework/scm/exports/XDRAuthFailureAbusiveSrc_rule-export.json REPLACE true | xmImportRules APPLICATION XR VERSION 2 FILE /opt/splunk/etc/apps/SCM-Framework/scm/exports/XDRXRSignalASNVolume_rule-export.json REPLACE true ``` 1. Now the system is ready for XR content to be enabled.