Skip to content

Release Notes

2.0.2

  • Bug Fix - search on "Manage Anomaly Scoring Rule" dashboard: The dashboard panel which provides the selectable list of anomaly scoring rules previously searched over an index called scoring_index as opposed to the scoring_index macro used by the application.

  • App leverages @splunk/splunk-utils@3.0.0: previous versions of the app leveraged older versions of the splunk-utils package which feature references to deprecated v1 search APIs, this has been upgraded to ensure Splunk Cloud compatibility.

2.0.0

  • Entirely new workflow for search creation: the workflows for building both behavioral indicator searches and anomaly scoring rules have both been re-engineered from scratch to utilise React based Splunk UI components as opposed to SimpleXML based Splunk classic dashboards. This introduces a number of improvements:

    • Streamlined workflow: instead of dashboard panels, each stage of search creation is a different step in the navigation bar - improving readability and clarity of current progress.
    • Consistent back-end searches: All searches deployed in the building of a behavioral indicator search or anomaly scoring rule leverage the Splunk SearchJob class. This avoids issues with previous releases where a mixture of JS based SearchJob searches and dashboard panel searches leveraging tokens made for a fragile architecture prone to bugs where users couldn't search certain data sets or move back through the workflow to make changes if desired. It also means the application now makes heavy use of post process searches, improving efficiency and reducing load times.
    • Common UI with wider Splunk portfolio: the use of Splunk UI design components make the application familiar to users of the wider Splunk product portfolio and as a result increases comprehension of the Splunk App for Behavioral Profiling.

  • indicator_index and scoring_index replaced with macros: indexes used for storing output by behavioral indicator searches and anomaly scoring rules now leverage macros defined by the user, called "indicator_index" and "scoring_index" as opposed to being hardcoded to those index names - this allows usage of any visible indexes on the Splunk instance by the application.

  • Configure Indexes and Collections dashboard updates: dashboard updated to reflect new system for defining indexes leveraged by application searches as outlined above.

  • Deletion workflows: new workflows accessible from the "Behavioral Indicators" and "Anomaly Scoring Rules" pages support deletion of all backend configuration related to behavioral indicator searches and anomaly scoring rules through the UI.

  • Lookup file based baselines: the Entity Specific Statistical anomaly scoring rule method now supports lookup file based baseline creation in addition to the existing KV Store based option.

  • Improved event drilldown from Single Entity Profile: the click through drilldown action to raw events from the Single Entity Profile investigative dashboard no longer includes the _indicator_search macro in the search and so provides a clearer view of the events.

  • Indicator search macros usage removed: to improve output readibility of the behavioral indicator searches generated by the application, the searches no longer make use of the single_mode_indicator_search and timechart_mode_indicator_search search macros. These will be removed from macros.conf in a later version.

  • Teminology changes: scoring rules have been renamed to anomaly scoring rules within the application and supporting collateral.

1.2.2

  • "Today" search window: Both the Single Entity Profile and Entity Behavioral Scores dashboards now include a "Today" search window.
  • Bug Fix - Single Entity Profile score attributions drilldown: on the Single Entity Profile Score Attribution drilldown none of the fields in the search were passed with quotation marks. This meant any fields with whitespace would result in a search error.

1.2.0

  • Reviewer user displayed: the user who marks an entity as reviewed on the Entity Behavioral Scores dashboard is now stored and displayed.
  • Bug Fix - indexes.conf.txt: indexes.conf.txt now correctly provides a template for scoring_index as opposed to score_index.
  • Bug Fix - Quotation marks in indicator searches: the workflow to create a new indicator search previously didn't correctly escape quotation marks in the initial search query, this resulted in failure to build the associated KV store entry and prevented use of the indicator search in the scoring rule workflow.

1.1.0

  • New official app logo: new app logo added to app menus.
  • Streamlined new scoring rule indicator preview: table showing data populated by selected indicator rule on new scoring rule screen now shows a tighter subset of relevant fields.
  • Tweaked scheduling for scoring rules: hourly scoring rules now trigger on the 5th minute of the hour as opposed to the 15th by default.