Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to add new fields for notable asset extraction?

dfphere
Explorer
‎12-11-2020 11:44 AM

I'm attempting to add some new fields to leverage the Asset Extraction for our Notables.

As of today, we have what appear to be the default values: src,dest,dvc,orig_host. From my experience, when src/dest are present in a search, the priority value is automatically assigned to the notable, and I believe that functionality is happening via this setting. I'm wanting to add the src_ip/dest_ip fields that are leveraged in most of our searches to obtain the priority value from our assets inventory. However, after running a test by adding dest_ip to the entries with a search with dest_ip populated, it didn't pull the priority value as expected. I'm wondering if there maybe a piece I'm missing that I should verify or if there may have been replication time I needed to account for.

0 Karma
Reply

jaspersplunkfu
Engager
‎04-19-2023 08:42 AM

I noticed that this is inconsistent as well despite dest_ip/src_ip clearly being present in the search, or the logs. I am curious if it has something to do with the src_ip present in the raw log, vs it being mapped at search time from the automatic lookups that ship with ES out the box that attempt to map it to an ES asset. I was hoping that this functionality would work, I am having to rely more upon dest/src which seem to work more as expected.

0 Karma
Reply

lkutch_splunk
Splunk Employee
Splunk Employee
‎12-11-2020 12:02 PM

Which version of ES are you using? If ~6.0 or higher, you could rank them: 

https://docs.splunk.com/Documentation/ES/6.4.0/Admin/Assetlookupconfiguration#Rank_the_order_for_mer...

Any new asset list gets added to the bottom of the list by default. You can rank the order of this list to determine priority for merging assets. If an asset exists in multiple source files as a single value or exists multiple times in the same source file, this ranking is the weighted order for merging them. 

Reply

dfphere
Explorer
‎12-12-2020 10:03 AM

What's interesting is - the only field that's part of the search is the dest_ip field, so I guess I'd expect it to just pull from that field regardless of ranking.

Also, from what I can see, the field that exists in the assets list is called 'ip'. Could there another piece to the equation that's successfully mapping the src/dest fields to this 'ip' field but not the src_ip/dest_ip fields?

0 Karma
Reply

lkutch_splunk
Splunk Employee
Splunk Employee
‎12-11-2020 12:05 PM

Oh! Sorry, I thought I saw "merging" assets. My answer might not apply to your question 🙂 

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...