Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to assign priority to an asset? Splunk ES

splunky_diamond
Path Finder
‎05-10-2024 12:17 AM

Hello, Splunkers!

I am learning Splunk ES and trying to understand how urgency value is assigned for notables generated from the correlation searches. I went over this article: How urgency is assigned to notable events in Splunk Enterprise Security - Splunk Documentation  . So, if severity is assigned in the settings of the correlation search, where do we assign the priority to assets? Can someone please explain or provide a documentation page of how this process (assigning priority) is done exactly? Specifically, I would really appreciate if someone could share, where should this be configured, whether on Enterprise Security itself, or elsewhere, is it done through GUI, or it requires manually editing some config files. 

 

Also, a bit stupid question, but, can we also assign priority to identities, for example to indicate higher priority for admin accounts rather than usual accounts. 

 

Thank you for taking your time reading and replying to my post ❤️

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎05-12-2024 05:05 PM

See this

https://docs.splunk.com/Documentation/ES/7.3.1/Admin/Formatassetoridentitylist

So your search will be

index=my_asset_source ...
| eval priority="high"
| table nt_host priority ...
| outputlookup my_asset_definition.csv

You just need to fill in the gaps so you can collect the fields mentioned in the document. Set the priority as you want it to be based on your business rules for defining how you want to assign priority.

 

View solution in original post

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎05-10-2024 12:38 AM

Take a look at the asset and identity framework documentation

https://docs.splunk.com/Documentation/ES/7.3.1/Admin/Addassetandidentitydata

Priorities can be assigned through the searches you write to pull in A&I data or can be derived from network subnets.

Typically you may write searches to pull in data from sources and assign priorities based on criteria, such as whether the asset is a production asset, or the identity is a senior manager or a system administrator. This can be based on their job title or group membership.

 

Reply
Solved! Jump to solution

splunky_diamond
Path Finder
‎05-11-2024 03:28 AM

Hello @bowesmana , thanks for replying to my post.

Regarding your last suggestion, if I got it right, I can assign priority value in the search string itself? So far what I've read is that the identities and assets are added via lookups to Splunk, from which the information about their priority is pulled. So, if I got your suggestion about assigning priorities in the searches themselves, could you please provide an example? I would really appreciate it!

Cheers,

Splunky diamond

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎05-12-2024 05:05 PM

See this

https://docs.splunk.com/Documentation/ES/7.3.1/Admin/Formatassetoridentitylist

So your search will be

index=my_asset_source ...
| eval priority="high"
| table nt_host priority ...
| outputlookup my_asset_definition.csv

You just need to fill in the gaps so you can collect the fields mentioned in the document. Set the priority as you want it to be based on your business rules for defining how you want to assign priority.

 

Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...