Skip to content

Instantly share code, notes, and snippets.

@manasmbellani
Created November 26, 2022 01:44
Show Gist options
  • Save manasmbellani/cd7f93694218113c89f4c0a962ad798b to your computer and use it in GitHub Desktop.
Save manasmbellani/cd7f93694218113c89f4c0a962ad798b to your computer and use it in GitHub Desktop.
Practical tips/steps to consider prior to deploying and updating apps in Splunk

Steps to build new alerts in Splunk

To build new alerts, perform the following steps:

  • Ensure that the correct app is selected via the Apps menu option in Splunk UI
  • Leverage an existing search macro that has been recently built and update it to meet the search query for detection
  • Test if the alert works
  • Use MITRE Attack Framework to add relevant fields from the Matrix here if applicable
  • Create a new search macro with updated permissions. Search macro should be prefixed with appropriate keyword e.g. gcp_detect_ or sysmon_detect
  • Update the search macro permissions to be publicly readable, and admin writable
  • Run the search macro to validate that the results returned are correct
  • Create a splunk alert using the Splunk macro to execute every hour, shared in the app, and send alerts to Triggered Alerts

Updating the app in Splunkbase

To update the app in Splunkbase, perform the following steps: -

  • Ensure that all settings in metadata/local.meta are merged in metadata/default.meta, and the file does not exist
  • Ensure that all settings in local/* are merged in metadata folder, and local folder does not exist
  • Ensure that version in default/app.conf file is updated
  • Ensure that the alerts lookup file is empty
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment