In the Splunk GUI, you can select and enable multiple searches. However, what if you want to enable only a set of searches that match specific conditions?. There’s no built-in way to do this yet, but we can use a Splunk query and a python script using the API to accomplish the task.
Query for the searches you want to enable
We can use a rest query in Splunk to look for searches to enable. For example, if you want to find all ESCU searches for Windows that use the process datamodel:
- Uses the rest command to pull in all saved search data
- Filters using regex matches for searches with
- Titles that contain ESCU
- Search logic that uses the Endpoint.Processes datamodel
- Search logic that outputs the dest field
- Excluding deprecated and experimental searches (these have a description that start with WARNING)
- Excluding searches with Linux or MacOS in the title
Once you confirm this search contains all the searches you would like to enable, we can…
Output the results to JSON
This will allow us to input the search results into a Python script.
Append the following to the previous search:
This additional logic
- Groups the search titles into a multi-value field by app (because the API endpoint needs the app for each search)
- Outputs the results to a JSON field named search_group
- Groups all the search_group values into a single multivalued field named search_groups
- Joins the search_groups field together into a valid list we can copy into our script
Copy the output of the search_groups field from the query into this script:
- Update the host variable to your search head’s IP or hostname
- Update the mgmt_port variable if needed
- Then copy the value of the splunkd_8443 cookie from Splunk web into the auth_cookie variable
- Paste in the results from the query into the search_groups variable (don’t wrap it in quotes, it needs to be a valid list)
Once all the variables are correctly set, run the script. It will take some time to run depending on the number of searches because it’s one API call per search at a time, but it’s much faster than manually going through and clicking enable.
This method is useful when bulk enabling rules for use in RBA, correlation rules, or to just see what alert volume looks like for a large set of rules. From here, if you’re trying to get actionable alerting from a large set of alerts at once, I recommended using correlation rules such as Active Directory Privilege Escalation Identified. Rules like this look at the risk index for multiple rules from the same analytic story triggering from the same host. To tune further, you can identify which rules are involved in the correlation rule most often. Adding exclusions if you can, or disabling the rule if there is no consistent benign activity triggering the rule.