Skip to content

Configuration

Indexes

The app requires that two indexes be created. In your environment create the following two indexes:

  • share_with_es
  • share_with_itsi

The size and retention of these indexes does not need to be large or long. A very small amount of information is shared between the two premium apps and stored in these indexes. These indexes are mostly used to move the data between ES and ITSI and the data does not need to be kept for more than 90 days. More details of how the app moves data can be found in the App components page

ES Notable Filtering

The filter_share_itsi macro limits what ES notables are saved to the share_with_itsi index. This macro can be customized to share more or less notables from ES to ITSI. By default the macro has two items:

  • NOT risk_object_type IN (user,"") - filter user based risk objects as ITSI only correlates with systems
  • NOT urgency=informational - share notables that are low and higher

ITSI Episode Filtering

The filter_share_es macro limits what ITSI episodes are saved to the share_with_es index. This macro can be customized to share more or less episodes from ITSI to ES. By default the macro has three items:

  • itsi_group_severity>2 - share episodes that are low and higher
  • entity_title=* - share only episodes that have an entity for correlation with assets in ES
  • NOT itsi_policy_id="itsi_default_policy" - do no share episodes that are generated by the default ITSI NEAP as it is too broad

The app ships with an analytic story with a sinlge correlation search. Once the app is loaded and Splunk is restarted, the ITSI Episode correlation search should appear in ES Content Management. By default the search is not scheduled to run. Enable the search and adjust the scheduled time if necessary. The correlation search will generate a Notable and also use the risk analysis action to adjust the risk score for the asset involved. Adjust the risk score if neccesary.

The app ships with a content pack (Shared Alerting) that contains a sinlge correlation search. Once the app is loaded and Splunk is restarted, the ES Alert correlation search should appear in ITSI Correlation Searches. By default the search is not scheduled to run. Enable the search and adjust the scheduled time if necessary. The correlation search will generate a Notable with a title starting with ES Alert.

The Notable Event Aggregation Policies (NEAP) that you are leveraging will need to be adjusted to include the Notable events that are generated by the default correlation search. You can use an OR in your NEAP rule and title matches ES Alert for the Notable selection criteria. You may need to review the split events by criteria to ensure the ES Alert Notable gets captured into the proper episode.