SecKit Common Assets Add-on for Splunk Enterprise Security
Overview
Details
Version 3.x is appropriate for new implementations
Version 2.x is should be updated to the latest terminal version or upgraded to 3.x
Security Kit
Identity Management Common Components
SecKit_SA_idm_common
Introduction
This purpose of this Splunk add on is to provide foundational tools and routines for the population of assets and identities in the Enterprise Security and PCI applications for Splunk.
Docs
Release Notes
Version 3.0.8Rbaf6f27
- Major release please read the doc https://seckit.readthedocs.io/projects/seckit-sa-idm-common
- Publishing Docs on Read the Docs
- Use of collections where possible to improve performance in SHC
- Use of first time run searches to ensure a smooth experience in Splunk Cloud
- Improved default scheduled search configuration
- Improved out of box experience "zero config" getting started
- Leveraging Splunk Enterprise Security content management for all enrichment lookups.
Version 2.6.0e1aacac
-Minor updates to doc, description and naming for SplunkWorks approval process
-Add copyright to files as headers
Version 2.4.1Rfb822c3
App cert fixe
Version 2.4.0Re856239
Minor updates including code clean up and additional app certification and cloud issue resolutions
Version 2.2.8
Fixed is_expected output condition to use proper syntax and resolve case issue
Version 2.2.6
Moved the release server to bintray easier to release early builds now
Fixed up some small annoyances check out commits here
https://bitbucket.org/SPLServices/seckit_sa_idm_common/commits/all
Version 2.2.4
Certification Fixes
Version 2.2.3
Bug Fixes
Version 2.2.2
Fixed a ugly bug causing assets to not output
Version 2.2.1
-Prevent \n from remaining in the category field
-cleanup errant | from identity fields
Version 2.1.0
-Add Support for ES 4.2/4.5 multi value IP and MAC in assets
Version 2.0.8
Metadata file was omited fro the latest build
Version 2.0.6
Fixed missing default lookups due to changes in packaging process
Fixed missing static icons
Fixed allowing bare IP and /32 CIDRs in common output
Fixed long values missing from output of CIDR Assets
Version 2.0.3
-Major release possible breaking changes verify all outputs
-Minimize duplicate/conflicting true/false values
-Support pci_domain based on static host file
-Support pci_domain based on cidr match
-Dedup and filter categories at generation time (dups will occur at search time)
-Better is_expected tracker
Version 1.2.4
Fix duplicate categories on network assets
Version 1.2.3
-Fixed issue in stream dhcp search causing unchecked lookup growth
Version 1.2.2
-Fix version string
- new saved search seckit_idm_common_stream_dhcpnetworks to automatically identify and categorize dhcp managed networks based on Splunk App for stream data.
Version 1.1.1
TKO Release
-Automatic set for is_expected using meta data
Version 1.1.0
* Going forward we will use categories in two formats:
- Label - traditional word or multi word strings with underscore _ separators example retired
- Sub Category "field:value" example net_type:internal
* New macros
- `seckit_idm_common_get_asset_geo` get geo fields by ip
- `seckit_idm_common_get_asset_net_category` get network categories by ip.
- `seckit_idm_common_get_asset_net_id_category` generate a net_id: category by for defined networks
- `seckit_idm_common_external_geocode` defaults to NOOP for later use with max mind database
* `seckit_idm_common_build_net_assets` enhancements
- Apply net_type:internal or net_type:external based on match to RFC subnets
- Sort the output file to ensure the most specific match is found first