LogCraft's Blog

Appearance

How to use version control to track changes to Splunk searches

Splunk is a powerful tool for data analysis but it can be difficult to track changes to your searches. This is where version control becomes indispensable. Version control allows you to track every change that you, or anyone, make to a search, so you can easily revert to a previous version when necessary. Additionally, it streamlines collaboration as everyone can see the changes that have been made, ensuring visibility into all modifications.

In this article, we will discuss how to use version control to track changes to Splunk searches. We will cover the following topics:

  • What is version control?
  • Why use version control for Splunk searches?
  • How to set up version control for Splunk searches

What is version control?

Version control is a system that tracks changes to files over time, allowing you to easily revert to previous versions, compare changes, and collaborate with others. There are many different version control systems available and the most popular and general purpose ones are Git and Subversion.

While Git and Subversion a great choices for version control, they have been designed for software development and lack critical capabilities when addressing cybersecurity use cases, especially Spunk savedsearches management and versioning.

INFO

LogCraft is a version control system especially designed to address cybersecurity requirements and it delivers:

  • assisted versioning, so you don't have to waste time thinking what should be the next version number, or what versioning scheme to follow to start with.
  • import, scan and automated verification of the deployed savedsearches, so you are always guaranteed that the code runing in production is the same as the one in development. This also gives you the guarantee that the code running on a Splunk instance wasn't modified since its last release
  • MITRE ATT&CK analytics so you can quickly and easily understand your blind spot in your hundred of detections
  • Splunk integration so that deploying, verifying or withdrawing a search is simple as a single click.
  • a collaborative interface so that security team can easily understand who changed what, when, why and visually see the difference between any 2 searches, including the parameters.

In short, LogCraft is a version control system crafted by cybersecurity practitioners for fellow professionals in the field. It is designed for any Security Operations Center (SOC) looking to embrace industry-leading best practices in detection management.

Why use version control for Splunk searches?

There are many reasons why you should use version control for Splunk searches. Here are a few of the most important reasons:

  • It allows you to track changes to your searches. This is essential for ensuring that your searches are always working as expected.
  • It allows you to revert to previous versions of your searches. This is useful if you make a mistake or if your search is accidentally deleted.
  • It makes it easy to collaborate on searches with others. Everyone can see the changes that have been made, and it is easy to merge changes from different people.
  • It can help you save time and effort. By using version control, you can avoid having to recreate searches from scratch.
  • It is a requirement for compliance and auditing purpose.

How to set up version control for Splunk searches

There are three main ways to set up version control for Splunk searches:

  1. Use a dedicated and general purpose version control system, the most common approach. This is a manual and from scratch installation that requires time and effort to reach the point of productivity with a working integration with Splunk and a smooth workflow with your team's processes.
  2. Use a Splunk app. There are a number of Splunk apps that can be used to manage version control for Splunk searches. This is often addressing simple use cases such as backup and restore everything, nothing more, nothing less, and this comes without any support.
  3. Use LogCraft and instantly track changes to your savedsearches. Each search has a unique version number following semantic versioning and move them around between production and development as your detection engineering practice requires it!

To simplify, ask yourself the integration you would like to have:

  • No integration, then a standard git repository may be the best choice
  • Some integration, then a Splunk app may be the best option
  • Advanced integration and capabilities, LogCraft is the way to go

Conclusion

Version control is a powerful tool that can help you track changes to your Splunk searches. By using version control, you can ensure that your searches are always working as expected, revert to previous versions of your searches if necessary, and collaborate on searches with others.

Copyright © 2022-2024 LogCraft's Blog - All rights reserved.

hello@logcraft.io @LogCraftIO