Security Bloggers Network 
SBN

Splunk Tutorial: How To Bulk Enable Splunk Searches

by Josh Neubecker on September 25, 2023

In the Splunk GUI, you can select and enable multiple searches. However, what if you want to enable only a set of searches that match specific conditions?. There’s no built-in way to do this yet, but we can use a Splunk query and a python script using the API to accomplish the task.

Query for the searches you want to enable

We can use a rest query in Splunk to look for searches to enable. For example, if you want to find all ESCU searches for Windows that use the process datamodel:

Copy to Clipboard

This query

  1. Uses the `rest` command to pull in all saved search data
  2. Filters using regex matches for searches with
    1. Titles that contain ESCU
    2. Search logic that uses the Endpoint.Processes datamodel
    3. Search logic that outputs the dest field
    4. Excluding deprecated and experimental searches (these have a description that start with WARNING)
    5. Excluding searches with Linux or MacOS in the title

Once you confirm this search contains all the searches you would like to enable, we can…

Output the results to JSON

This will allow us to input the search results into a Python script.

Append the following to the previous search:

Copy to Clipboard

This additional logic

  1. Groups the search titles into a multi-value field by app (because the API endpoint needs the app for each search)
  2. Outputs the results to a JSON field named search_group
  3. Groups all the search_group values into a single multivalued field named search_groups
  4. Joins the search_groups field together into a valid list we can copy into our script

The script

Copy the output of the search_groups field from the query into this script:

Copy to Clipboard

Before running

  1. Update the `host` variable to your search head’s IP or hostname
  2. Update the `mgmt_port` variable if needed
  3. Then copy the value of the `splunkd_8443` cookie from Splunk web into the `auth_cookie` variable
  4. Paste in the results from the query into the `search_groups` variable (don’t wrap it in quotes, it needs to be a valid list)

Once all the variables are correctly set, run the script. It will take some time to run depending on the number of searches because it’s one API call per search at a time, but it’s much faster than manually going through and clicking enable.

This method is useful when bulk enabling rules for use in RBA, correlation rules, or to just see what alert volume looks like for a large set of rules. From here, if you’re trying to get actionable alerting from a large set of alerts at once, I recommended using correlation rules such as Active Directory Privilege Escalation Identified. Rules like this look at the risk index for multiple rules from the same analytic story triggering from the same host. To tune further, you can identify which rules are involved in the correlation rule most often. Adding exclusions if you can, or disabling the rule if there is no consistent benign activity triggering the rule.

The post Splunk Tutorial: How To Bulk Enable Splunk Searches appeared first on Hurricane Labs.

*** This is a Security Bloggers Network syndicated blog from Hurricane Labs authored by Josh Neubecker. Read the original post at: https://hurricanelabs.com/splunk-tutorials/splunk-tutorial-how-to-bulk-enable-splunk-searches/?utm_source=rss&utm_medium=rss&utm_campaign=splunk-tutorial-how-to-bulk-enable-splunk-searches

Josh Neubecker