Added tCell-AppFW-to-severity.csv lookup table, lookup definition, and lookup table. Pattern IDs will be mapped to severity scores and severity score field will automatically be added to events at search time.
You can create your own custom mappings for pattern ID to severity score by going to Settings > Lookups > Lookup table files > "New Lookup Table File". To use the default lookup definition and automatic lookup packed with the addon, make sure the destination filename is ‘tCell-AppFW-to-severity.csv’. If sharing permissions is 'App' or 'Global', upgrading the addon will replace your custom lookup table with the default lookup table that's packaged with the addon.
Data input configuration now gives the option of collecting data from either a single app or all apps. When selecting "all apps" it removes the necessity to configure as each app is created in tCell. Data from new apps in tCell will be collected automatically.
Support for Python3 and Splunk 8.1+
Do not use 0.4.3. The 0.4.3 release contained an erroneous source file by accident that will result in errors (the app will not function). This remedies this issue.
Addition of additional data sources related to tCell's Application Server Agents (RASP):
Local Files - tCell provides monitoring and protection of the local file system against unauthorized access. Events pertaining to violations of the Local Files policy are now collected
OS Commands - tCell provides monitoring and protection against unauthorized commands being executed from the application. Events pertaining to violations of the OS Commands policy are now collected.
* Packages - Packages used by the application being monitored and protected by tCell are collected at startup time for each instance. The package information is now provided by tCell. (Note this runs at the same interval as events, so it is recommended to setup a separate input with an interval of 24 hours in order to minimize data usage)
Updated app icon.
tCell addon 0.4.0 adds an adaptive response action to block client IPs in tCell protected web applications. Additionally, data collection from tCell is now provided as a modular input.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.