Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to assign priority to an asset? Splunk ES

splunky_diamond
Path Finder
‎05-10-2024 12:17 AM

Hello, Splunkers!

I am learning Splunk ES and trying to understand how urgency value is assigned for notables generated from the correlation searches. I went over this article: How urgency is assigned to notable events in Splunk Enterprise Security - Splunk Documentation  . So, if severity is assigned in the settings of the correlation search, where do we assign the priority to assets? Can someone please explain or provide a documentation page of how this process (assigning priority) is done exactly? Specifically, I would really appreciate if someone could share, where should this be configured, whether on Enterprise Security itself, or elsewhere, is it done through GUI, or it requires manually editing some config files. 

 

Also, a bit stupid question, but, can we also assign priority to identities, for example to indicate higher priority for admin accounts rather than usual accounts. 

 

Thank you for taking your time reading and replying to my post ❤️

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎05-12-2024 05:05 PM

See this

https://docs.splunk.com/Documentation/ES/7.3.1/Admin/Formatassetoridentitylist

So your search will be

index=my_asset_source ...
| eval priority="high"
| table nt_host priority ...
| outputlookup my_asset_definition.csv

You just need to fill in the gaps so you can collect the fields mentioned in the document. Set the priority as you want it to be based on your business rules for defining how you want to assign priority.

 

View solution in original post

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎05-10-2024 12:38 AM

Take a look at the asset and identity framework documentation

https://docs.splunk.com/Documentation/ES/7.3.1/Admin/Addassetandidentitydata

Priorities can be assigned through the searches you write to pull in A&I data or can be derived from network subnets.

Typically you may write searches to pull in data from sources and assign priorities based on criteria, such as whether the asset is a production asset, or the identity is a senior manager or a system administrator. This can be based on their job title or group membership.

 

Reply
Solved! Jump to solution

splunky_diamond
Path Finder
‎05-11-2024 03:28 AM

Hello @bowesmana , thanks for replying to my post.

Regarding your last suggestion, if I got it right, I can assign priority value in the search string itself? So far what I've read is that the identities and assets are added via lookups to Splunk, from which the information about their priority is pulled. So, if I got your suggestion about assigning priorities in the searches themselves, could you please provide an example? I would really appreciate it!

Cheers,

Splunky diamond

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎05-12-2024 05:05 PM

See this

https://docs.splunk.com/Documentation/ES/7.3.1/Admin/Formatassetoridentitylist

So your search will be

index=my_asset_source ...
| eval priority="high"
| table nt_host priority ...
| outputlookup my_asset_definition.csv

You just need to fill in the gaps so you can collect the fields mentioned in the document. Set the priority as you want it to be based on your business rules for defining how you want to assign priority.

 

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...