The Analyst1 App for Splunk is an add-on designed for use by existing Analyst1 customers.
This add-on brings enrichment data around observables/indicators of compromise from Analyst1 into Splunk, providing lookup tables for correlation data and some sample dashboards to get users started. All of this is accomplished with outbound connections from Splunk to Analyst1, avoiding complex firewall configurations.
For setup and operations help, open the Analyst1 Documents portal site and look for the Analyst1 App for Splunk Guide.
Version 1.4.1 of the Splunk TA brings multiple improvements to the Outputs module, which sends network telemetry from Splunk to Analyst1 to create hit stats.
Known Issues:
1) When an IOC is found on multiple Inputs and removed from only one, the IOC will incorrectly be removed from the TA lookup until the next "full refresh" sync by one of the Inputs. Frequency of refreshes is controlled by the "Refresh Factor" setting on each Input.
2) Input configuration labels are unclear. Inputs using Index lookup creation mode default to the default Splunk index, this will be more clearly labeled.
Version 1.4.0 adds overall stability to the TA and addresses several bugs, and one update to Analyst1 API usage. The fixes are as follows: 1) we now retain custom certificates, so that these do not need to be re-added when making an account change; 2) corrected and standardized case handling for IOC values in the Analyst1 /diff API endpoint; 3) we redressed instances where a poll is made for a proxy password when it is unnecessary to do so; 4) lastly, we ensured that a proxy correctly utilized for all outbound Analyst1 requests, and that the proxy is configured correctly per the Python requests library. We also updated calls to the Analyst1 API with diff/99999 to use the /sensors/{ID} to directly fetch the appropriate version.
Resolves two issues. (1) Redresses when other TAs/Apps introduce malformed passwords the Account page would not always render. (2) Allows each Account to explicitly trust an optional public certificate to handle organizational/non-standard CA issued certificates.
Version 1.2.0 enhances our support for Outputs, a way to get indicator sightings (what Analyst1 calls Hit Stats) from Splunk into the Analyst1 platform, by redressing an issue with the API submission wrongly preserving log files on the Splunk infrastructure. It also implements all change required to maintain current Splunk Cloud compatibility, both Victoria and Classic.
Version 1.1.0 includes beta support for Outputs, a way to get indicator sightings (what Analyst1 calls Hit Stats) from Splunk into the Analyst1 platform.
Initial release
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.