Etusivu Tutki Apua
Rekisteröidy Kirjaudu sisään
AFS
/
infrastructure-notes
2
0
Haarauta 0
Tiedostot Esitykset 0 Vetopyynnöt 0 Wiki
Puu: 883a468866
Haarat Tunnisteet
infrastructure-...
/
Splunk ExtremeRules.md

Splunk ExtremeRules.md 2.5 KB
Historia Raaka

Extreme Rules

Installation

  1. The latest build can be downloaded from https://scianta.com/products/download-software/
  2. Choose the file download XR - Extreme Rules
  3. On the Splunk Search Head transfer the file (SCM-Framwork) xr_linux.tar to the SH and use the Splunk CLI to install the app
  4. You may need to give the splunk user access to the file such as chmod o+r xr_linux.tar
  5. Ensure the XR components are installed on the associated Indexers as noted in https://jira.xdr.accenturefederalcyber.com/browse/MSOCI-1833

Setup Extreme Rules

  1. Enter the Splunk SH
  2. Go into the app Extreme Rules

  3. Use the following configuration values for the App Setup Page

    Data Store Configuration: Stand Alone
Mongo Host: 127.0.0.1
Mongo Port: 27020
Password: Create a password and store in XDR Vault for records
UNCHECK: Create Indexes as these were made by XDR Engineering during Installation above

  4. Once the App Setup actions commplete create the following directory on the Splunk Search Head as the splunk system user

    mkdir /opt/splunk/etc/apps/SCM-Framework/scm/exports

Base Context Setup

Content Team has to export the "live" Context and Models from XR on Caasp

This can manually be done from inside Splunk like the following. Keep in there may be more rule packages to process.

| xmExportRules RULE_PACKAGE XDRAuthFailureAbusiveSrc VERSION 2 APPLICATION XR
| xmExportRules RULE_PACKAGE XDRXRSignalASNVolume VERSION 2 APPLICATION XR

However XR app packs are built with scheduled jobs to backup the file from the local SH mongo nightly to local disk. Example: DA-ESS-AFS-XDR-XR-AuthenticationSecurity Searches: XDR - XR XDRAuthFailureAbusiveSrc - Backup and XDR - XR XDRXRSignalASNVolume - Backup

  1. The various json files need to be collected and copied to the new or restored search head if XR is missing.

  2. Copy the files into place as the Splunk user

    Once SCP to the SH make sure Splunk can read them
chmod o+r *.json
mv *.json /tmp
sudo -iu splunk
cp /tmp/*.json /opt/splunk/etc/apps/SCM-Framework/scm/exports/

  3. Import the rule packages from the json files into the XR app in Splunk. This populates Mongo.

    | xmImportRules APPLICATION XR VERSION 2 FILE /opt/splunk/etc/apps/SCM-Framework/scm/exports/XDRAuthFailureAbusiveSrc_rule-export.json REPLACE true
| xmImportRules APPLICATION XR VERSION 2 FILE /opt/splunk/etc/apps/SCM-Framework/scm/exports/XDRXRSignalASNVolume_rule-export.json REPLACE true

  4. Now the system is ready for XR content to be enabled.