All Apps and Add-ons

Unable to modify the saved search in PCI App (Alert condition)

integratednet
Explorer

Hi

Currently PCI 1.2 - Rule - Detect Communication Directly To Untrusted From Trusted is configured to send e-mail alerts and alert mode is set as always , and it is scheduled to run on cron schedule (6****)

But we noticed that we are receiving some false positive alert e-mail with no events

So I tried to modify the alert condition from always to number of events > 5 after saving it and when I reopen the saved search the alert mode goes back to always

Can any body help me on this

regards
muralee

stevekryskalla
Engager

We are having the same problem. Seems like a bug in splunk.

0 Karma

integratednet
Explorer

Hi Bob

I tried the workaround but the results are same.

Kindly advice

integratednet
Explorer

Hi Bob

Tks for the reply.

Actually I need to set it to greater than 0 , because when I set the e-mail alert before
I used to get the blank pdf (specially when there are no events)

I will try the configuration and let you know the outcome.

BobM
Builder

Hi Muralee

This sounds to me like a permissions problem that will need to be sorted in the local.meta configuration file. Searches in some apps are not allocated an owner which would happen if they were created in the UI. This prevents issues if the account doesn't exist when the app is installed but occasionally it gets confused when it has been modified a couple of times by other users.

I would look in your $SPLUNK_HOME/etc/apps/SplunkPCIComplianceSuite/metadata/local.meta file for a stanza

[savedsearches/PCI%201.2%20-%20Rule%20-%20Detect%20Communication%20Directly%20To%20Untrusted%20From%20Trusted]

and add the following line below it replacing admin with a valid administrator account.

owner = admin

BUT

I think the underlying issue is more serious. You are masking a potential threat by changing this. There are three potential scenarios.

1) you have an ip address marked as trusted that shouldn't be.

2) you have an ip address marked as untrusted that should be trusted.

3) Someone or something is making connections that shouldn't be allowed.

The first two can easily be remedied by editing your lookup file network_domain_list.csv the third should be investigated and possibly blocked by your firewall. Do you really want to ignore up to 5 instances of scenario 3.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...