Getting Started
Installation
Download the Octamis XBaseD application from Splunkbase. The Octamis XBaseD app contains search-time functionality, such as dashboards, saved searches, macros, and lookups, and need to be installed on your search heads. For more details on how to install the app in your environment, please refer to the official Splunk Installing Add-ons documentation
Configuration
No specific configuration is required for the Octamis XBaseD
Exploration
Discover the dashboards and start analyzing your data. Support and Documentation No other specific documentation than this file, or support, is provided.
xbased_drilldown_searches.csv
An explanation is required regarding the treatment applied to that lookup and its lookup generator. Initially, this drilldown searches generator was designed to rerun searches by filtering on the entiity/risk object chosen in the XBaseD Investigation dashboard. The lookup generator retrieves all activated detections and creates a duplicate in the lookup file xbased_drilldown_searches.csv. It adds a line like
| search user=REPLACEME OR src=REPLACEME OR dvc=REPLACEME OR dest=REPLACEME
at the end of every detection, in a drilldown_search column.
The principle was to use the risk_object token (named entity_tk in dashboard) and replace the string “REPLACEME” from that lookup by the token value when the dashboard executes that search. You then have your original detection reran by the dashboard, and at the end you have the
| search user=REPLACEME OR src=REPLACEME OR dvc=REPLACEME OR dest=REPLACEME
appended, and REPLACEME changed by the token value.
NEW TO XBaseD VERSION 0.1.3 :
The list of fields is generated dynamically by the lookup generator, adding every risk_object_field defined in all your correlation searches, instead of a limited and fixed list. For example, if you have a ‘Computer’ field defined as Risk Object Field in one of your detection, the default
| search user=REPLACEME OR src=REPLACEME OR dvc=REPLACEME OR dest=REPLACEME
won’t work. With this new version, it will automatically append a
OR Computer=REPLACEME
to your searches in the xbased_drilldown_searches.csv file. This dynamic execution is used on some XBaseD dashboards.
NEW TO XBaseD VERSION 0.1.4 :
When you do an investigation with the XBaseD investigation dashboard, you can have events that are not within the time picker range: by default, time picker is kept between drilldowns. If a risk notable was triggered at the very beginning of the time picker period, the events that triggered the risk notable probably happened before the time picker period. To avoid that case, the lookup generator adds an earliest and latest conditions to the drilldown search. It detects if it is a tstats search or an index= search.
Additional drilldown features for lookup generator As appending the REPLACEME search at the end of the search is not always efficient, we added some features to that lookup generator:
drilldown_cutmacro If you use that macro everywhere in your detection SPL, it does nothing to your detection, it’s an empty text. But the lookup generator will cut the search at this point and then add the REPLACEME part at this point. Doing this, you can simplify/reduce your detection search to avoid some stats command or commands that are not mandatory for the re-execution.drilldown_mark(1)macro When you use this macro in your detection SPL, it still does nothing to your orignal detection, it’s an empty text with one parameter. But the lookup generator will replace thedrilldown("foo_bar")by foo_bar=”REPLACEME” in the lookup. This way, you can choose which field is mandatory for you, instead of the user, src, dvc or dest fields by default. And more importantly, you choose where in your SPL ! Chosing where can be important to increase search performance : filtering at the beginning of a search is more efficient than at the end. The macro parameter can contain “| search foo_bar”: this will be put in drilldown_searches in the lookup as:
| search foo_bar="REPLACEME"
fixed searches You can enter a specific search that you don’t want to be modified at all. You enter it in the fixed_search column in the xbased_drilldown_searches.csv lookup. This way, the lookup generator wil keep your search ‘as is’ when used in the dashboards.