Current ThreatQ Version Filter

Upgrading

The following steps are the standard way to upgrade the App and Add-On.  

Upgrading the App to 3.2.0

Version 3.2.0 for the App introduces support for unique sightings per data model, which requires an update to the threatq_matched_indicators lookup format. If Matching is enabled under App Settings, follow the steps below to migrate your existing data to the new format. If Matching is not enabled, no action is required.

  1. Open ThreatQuotient App For Splunk > Search and run the following query to create composite keys. Wait for the query to complete.
    | inputlookup threatq_matched_indicators
    | eval key_datamodel_name=if(isnotnull(raw_event) AND (isnull(datamodel_name) OR datamodel_name=""), "Raw", coalesce(datamodel_name, "Unknown"))
    | eval key_dm_safe=replace(key_datamodel_name, "[^A-Za-z0-9_-]", "_")
    | eval _key=ioc_value . "_" . key_dm_safe
    | table ioc_id, ioc_value, _key, match_time, first_seen, last_seen, match_count, score, status, type, updated_at, sources, adversaries, sid, last_run_first_seen, last_run_last_seen, last_run_match_count, malware_family, datamodel_name, raw_event
    | outputlookup threatq_matched_indicators key_field=_key

  2. Run the next query:
    | inputlookup threatq_matched_indicators
    | eval key_datamodel_name=if( isnotnull(raw_event) AND (isnull(datamodel_name) OR datamodel_name=""), "Raw", coalesce(datamodel_name, "Unknown") )
    | eval key_dm_safe=replace(key_datamodel_name, "[^A-Za-z0-9_-]", "_")
    | eval composite_key = ioc_value . "_" . key_dm_safe
    | eval key = _key
    | where key = composite_key
    | outputlookup threatq_matched_indicators append=F

    After this step, only composite-key rows remain in threatq_matched_indicators and old-key rows are removed.

  3. Run the following verification query to confirm that all entries have been successfully updated with composite keys:
    | inputlookup threatq_matched_indicators
    | eval has_composite_key=if(match(_key, "^.+_.+$"), "Yes", "No")
    | stats count by has_composite_key

    All entries should now show has_composite_key=Yes.

  4. Proceed with the standard App Upgrade steps listed below.

App Upgrade Steps

Review the Upgrading the App to 3.2.0 section above if you upgrading from a version <3.2.0 before proceeding.

  1. Follow the standard Splunkbase upgrade steps to upgrade the app.

    Wait for the upgrade process to complete before proceeding with the next step.

  2. Navigate to Info > Edit App Configuration > Account.
  3. Configure the account for the app to perform workflow actions and AR actions.
  4. Review and configure the Proxy and a Logging settings if needed.

    If you are upgrading to a newer version of the App component and are currently using Enterprise Support matching,  you will need to run the threatq_cleanup_es_lookups saved search once to remove the old data prior to upgrading. All the threat intelligence data will be automatically added upon upgrade using the Enterprise Security's REST APIs.

Add-On Upgrade Steps

  1. Navigate to the ThreatQuotient Add-on for Splunk.
  2. Navigate to the Inputs page and disable any existing inputs.
    Disable Input Example
  3. Navigate to Settings > Searches, Reports, and Alerts.
    Searches, Reports, and Alerts Example
  4. Delete any existing alerts.
  5. Follow the standard Splunkbase upgrade steps to upgrade the Add-on.

    Wait for the upgrade process to complete before proceeding with the next step.

  6. Navigate back to the ThreatQuotient Add-on for Splunk.
  7. Navigate to the Inputs page and enable any existing input or create a new input in the fields supplied.