Closed 0x616c6578 closed 10 months ago
Closing temporarily. This will be re-requested at a later date with additional lines in the stanza to support Splunk ES Notables.
Hi! Thanks for your PR. There's a new development that likely makes it obsolete, here's a blog post about it I've published recently. Basically, processing pipelines now allow to embed generated queries into templates to generate custom output formats.
The problem with creating an output format for such things is that he generated output often doesn't fits to the requirements of the people who want to use it. To make such a format universally usable, most of the output has to be parameterized. But as feedback for the savedsearches output of the Splunk backend has shown there's also lot of stuff that is missing or people want to do it completely different. Examples are scheduling, search windows, stanza naming and lots more. In the end there are so many variables that it's easier to create a template than building something that needs to be configured heavily to be usable.
This PR adds a new output format:
savedsearches_accelerated_data_model
. This combines thesavedsearches
anddata_model
formats, with the following changes:data_model
query will only return results from summarised data.savedsearches
have been extended, to include all settings added in the Splunk Save As -> Alert interface.Hashes
Sysmon field has also been mapped to theProcesses.process_hash
field in theEndpoint.Processes
dataset.Tests have been added for this new format and field mapping.
The intent behind this new format is to allow the creation of efficient searches for use in alerting. For example:
The savedsearch is a representation of this rule: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml.