Configuration¶

Indexes¶

The app requires that two indexes be created. In your environment create the following two indexes:

• share_with_es
• share_with_itsi

The size and retention of these indexes does not need to be large or long. A very small amount of information is shared between the two premium apps and stored in these indexes. These indexes are mostly used to move the data between ES and ITSI and the data does not need to be kept for more than 90 days. More details of how the app moves data can be found in the App components page

ES Finding Filtering¶

The filter_share_itsi macro limits what ES findings are saved to the share_with_itsi index. This macro can be customized to share more or less findings from ES to ITSI. By default, the macro has two items:

• NOT risk_object_type IN (user,"") - filter user-based entities as ITSI only correlates with systems
• NOT urgency=informational - share findings that are low and higher

ITSI Episode Filtering¶

The filter_share_es macro limits what ITSI episodes are saved to the share_with_es index. This macro can be customized to share more or less episodes from ITSI to ES. By default, the macro has three items:

• itsi_group_severity>2 - share episodes that are low and higher
• entity_title=* - share only episodes that have an entity for correlation with assets in ES
• NOT itsi_policy_id="itsi_default_policy" - do no share episodes that are generated by the default ITSI NEAP as it is too broad

ES Detection¶

The app ships with an analytic story with a single detection. Once the app is loaded and Splunk is restarted, the ITSI Episode detection should appear in ES Content Management. By default, the detection is not scheduled to run. Enable the detection and adjust the scheduled time if necessary. The detection will generate a finding and also create an intermediate finding for the entity involved. Adjust the risk score if neccesary.

ITSI Correlation Search¶

The app ships with a content pack (Shared Alerting) that contains a single correlation search. Once the app is loaded and Splunk is restarted, the content pack will show in ITSI under Configuration > Data Integrations. Then select Content library. From there you will be able to import the ES Alert correlation search, adjust its parameters if necessary, and enable. The correlation search will generate a Notable with a title starting with ES Alert.

The Notable Event Aggregation Policies (NEAP) that you are leveraging will need to be adjusted to include the Notable events that are generated by the default correlation search. You can use an OR in your NEAP rule and title matches ES Alert for the Notable selection criteria. You may need to review the split events by criteria to ensure the ES Alert Notable gets captured into the proper episode.