topic Re: What defines an asset priority? in Splunk Enterprise Security

What defines an asset priority?

daniel333 — Fri, 21 Oct 2016 20:52:43 GMT

All,

I am setting up asset center in Splunk ES/PCI. The idea of an Asset priority is sorta vague. Is it left that way on purpose? For me to define?

"Example: Must be one of unknown, informational, low, medium, high, or critical"

Re: What defines an asset priority?

sdaniels — Fri, 21 Oct 2016 21:01:05 GMT

The severity of the event and the priority of the host are combined to generate the urgency of an event. That is what is built into the system. Users desktop less important than server, which is less important than a critical app server etc... You get to assign your priorities based on what is important to your environment.

http://docs.splunk.com/Documentation/PCI/3.2.0/User/AssetManagement

Re: What defines an asset priority?

daniel333 — Fri, 21 Oct 2016 22:02:16 GMT

Hey, thanks for replying. I guess what I am looking for is what defines an asset priority?

Re: What defines an asset priority?

gokadroid — Sat, 22 Oct 2016 03:25:28 GMT

To answer asset priority in simple terms, it means which asset's event will be prioritized if an (similar severity) event occurred at the same time on two assets. Straight from the docs is this:

The priority field (high) is combined with the severity of the search to create the urgency for the notable event.

http://docs.splunk.com/Documentation/PCI/3.2.0/User/AssetManagement#How_asset_fields_are_used

Prioritization. The same type of events on two different systems may not deserve the same level of attention; a medium severity event against a desktop machine is less urgent than the same issue against an externally facing web-server that processes credit card information. Asset management allows an urgency to be computed based on the priority of hosts and assign higher urgency to high priority assets.

http://docs.splunk.com/Documentation/PCI/3.2.0/User/AssetManagement

Re: What defines an asset priority?

gokadroid — Sat, 22 Oct 2016 05:23:50 GMT

Asset priority , if required specifically, as per your comment is defined in answer I have provided.

Re: What defines an asset priority?

mshill24 — Tue, 03 Apr 2018 19:29:39 GMT

I have the same/a similar question: How do you change an Asset's priority? I have a bunch of Assets, but they are all medium priority. I want to start changing the priority of some Assets to High and Critical... How do I do this?

Re: What defines an asset priority?

vr2312 — Tue, 05 Sep 2023 02:19:13 GMT

You can do that by clicking the Assets and Identity lookups and follow the hyperlink under the source tab. That will redirect it to the contents of the lookup where you can click on the field and edit it.

Re: What defines an asset priority?

kevin8 — Tue, 26 Sep 2023 18:59:54 GMT

What about the 3rd dimension, risk? Seems fair to make 3 for urgency.