Insider Threat Connector


Release notes

1.5.1 (March 26th, 2018)

> Fixed a problem where the error messages were not appearing correctly to
alert admins if Sideview Utils was not installed, or was too low a version.
> Workaround for a bug in Splunk where the server returns “UNKNOWN_VERSION” as
the Splunk version. Prior to this release of the app, when his bug did occur
in Splunk it made the app’s version dependency check fail, and then redirect
every user to the homepage to tell them the Splunk version was too low.

1.5 (August 18th, 2017)

> Integrated the oit_alerts sourcetype into the Browse Sessions and Session
Detail views, as well as into the General Report interface.
> Modified the oit_alerts sourcetypes to fix various problems due to there
being spaces in the field names. Note – this is an index-time change so
if you have already been indexing the Alerts data as sourcetype=”oit_alerts”
unfortunately your old data won’t work with this version.
> Added Login as a top level filtering pulldown on the Browse Sessions and
General Report pages.
> Increased required version of Splunk from 5.0 to 6.0.
> reduced the vertical padding on the form fields in Browse and Report
> Fixed a bug where on smaller window sizes, the Search Controls could appear
jumbled on top of the Tabs.
> Cleaned up the duration fields to trim off the redundant zeros after
decimal points that were appearing on some rows.
> Added a health check so that if one of the two required sourcetypes are not
indexed, it lights up a helpful error on the homepage.
> Added a health check so that if one of the two required sourcetypes aren’t
getting their fields extracted properly, it lights up a helpful error on
the homepage
> Added checklist.conf stanzas, so that we have some healthchecks running in
DMC, so overall deployment admins can get a sense of whether the app is
set up and running well.

1.4 (May 25th, 2017)

> Removed the Field Picker that we added in 1.3, but instead the Browse UI
has been broadened to allow browsing not only sessions but also rollups by
Server, User, Client, Domain, Command, Application. Drilling down into any
of these causes the Browse view to filter to that value and flip back to
browsing sessions.
> The breadcrumb link from Session Detail back to browse now restores
whatever search filters had been active on the Browse page previously.
> Application and Command pulldowns now have a way to search for sessions
that have no value at all for the given field.
> Fixed a bug when drilling down into the homepage’s “top 10” chart, where
the values for Login, User, Server and Client names would all be blank.
Fixed the same bug in the Activity Dashboard drilldowns.
> Fixed a bug where saved report clicks were loading in Splunk’s generic
Report view instead of the app’s report view.
> Added Create Dashboard and Create Alert buttons to the Browse view.
> Homepage Chart now offers group by and also split-by field choices, and
defaults to top Users split by Server.

1.3 (November 11th, 2016)

> Condensed the design on Session Detail so Application and Command level
details are now in a single shared column.
> On Session Detail, there is now a second Pager module below the main table.
> DomainName is no longer a top level pulldown on Browse Sessions.
> Command and CommandInvocation are now defined in conf rather than in macros
> Removed multiselect Pulldowns in favor of newer Sideview CheckboxPulldown
modules in Browse Sessions.
> Modified behavior of Application and Command pulldowns in Browse Sessions
so that sessions are now returned with either the specified Applications or
the specified Commands.
> Renamed “report” view to “general_report” to no longer prevent use of the
generic Splunk “report” view that ships in 6.X.
> Browse Sessions now has a Field Picker you can use to add/remove and reorder
the fields shown in the table.
> Browse Sessions now has “see full search syntax” link and a “graph sessions
over time” link. The latter serves as a crosslink to send the given
sessions over into “General Report”
> Browse Sessions now has a time and a new “duration” field instead of the old
“began” and “ended” fields. Duration values look like “00:01:23”

1.2.2 (October 26, 2016)
> Fixed a mistake in our indexes.conf that had windows-style backslashes in
the paths.
> Added the indexes.conf config to the TA app.
> Fixed a bug where the icons and links to view the slides from the Session
Detail page had stopped working.

1.2.1 (June 30th, 2016)
> Added TA_observeit app, for deployment to any forwarding tier or indexing
tier. Going forward the full observeit app should only be on Search Heads.

1.2 (April 4th, 2016)
> Added sourcetype config for “oit_logins”, “oit_sessions”, “oit_conf_changes”

> Substantial fixes around how the app was detecting Sideview Utils, so that
this detection can work on Splunk 6.X.
> By default the app now expects data to be indexed into index=”observeit”

> Updated the app to workaround issues in Splunk 5.0 around saved search names
in “@go” URLs. This app now requires at least Sideview Utils 2.2.4.
See release notes for Sideview Utils 2.2.4.

> added a workflow action for the ViewerURL, so that people can jump to the
video quickly if they’re ever browsing the raw events.
> added a SEDCMD at indextime to replace \, (ie backslash+comma) with two
backslashes and a comma.
> fixed a bug where misc. search terms were not being used in the report view.

> moved custom dashboard css out into a separate file.
> updated dashboard css to work correctly on IE. (although without rounded
> updated macro that creates began/ended fields in such a way that they
remain sortable.
> fixed initial sort order on browse_sessions

> Fixing a bug where the session_detail table would look clickable.
> adding new fields to the 3 session list tables, and normalizing them all.
> pulling various pieces of session_list functionality into macros.
> passing selected Application/Command values from browse_session into
> Added better ‘save’ menus and job controls, export, print controls.
> added not just save but ‘create dashboard’, ‘create alert’ controls to the
general report builder.

> passing along filter args to the session_detail view.
> fixing a bug where session table clicks died once you clicked a video icon
> normalizing the ‘other’ and ‘misc terms’ field labels to ‘misc terms’
> passing on the selected pie wedge to the session_detail.xml
> Fixing problems in the merge_applications_and_commands macros.conf. This
fixed many bugs where VALUE would appear, or the applications and commands
values would be off.
> put a limit=5 into the session_detail timechart so the 6th-10th items dont
get confusingly clipped from the legend.
> fixed a bug where pie wedge selection would remain even after restarting
from the top.

> made session_detail display both commands and applications in the timechart,
and also made it stack.
> added OS pulldown to browse_sessions and report view.
> in browse_sessions, merged the Applications and Commands columns into one
column called “Applications/Commands”
> updated the regex that cleans up the Command field, and that creates the
CommandInvocation field, to not
leave a space character in the ‘Command’ values.
> fixed a typo in the fillnull_commands macro that wasn’t filling null values
of ApplicationName
> added a “sort-by” pulldown that appears in the report view when appropriate.
> Fixed a problem where all the little counts wrapped in parentheses, across
all the pulldowns, were reporting the wwrong numbers. Fixed these to
indicate the number of sessions that contain the given value.
> filtered out the problematic “N/A” values from Application and Command
> customized the “command” clicks in the dashboard view, to append “*”.