I'm attempting to add some new fields to leverage the Asset Extraction for our Notables.
As of today, we have what appear to be the default values: src,dest,dvc,orig_host. From my experience, when src/dest are present in a search, the priority value is automatically assigned to the notable, and I believe that functionality is happening via this setting. I'm wanting to add the src_ip/dest_ip fields that are leveraged in most of our searches to obtain the priority value from our assets inventory. However, after running a test by adding dest_ip to the entries with a search with dest_ip populated, it didn't pull the priority value as expected. I'm wondering if there maybe a piece I'm missing that I should verify or if there may have been replication time I needed to account for.
I noticed that this is inconsistent as well despite dest_ip/src_ip clearly being present in the search, or the logs. I am curious if it has something to do with the src_ip present in the raw log, vs it being mapped at search time from the automatic lookups that ship with ES out the box that attempt to map it to an ES asset. I was hoping that this functionality would work, I am having to rely more upon dest/src which seem to work more as expected.
Which version of ES are you using? If ~6.0 or higher, you could rank them:
Any new asset list gets added to the bottom of the list by default. You can rank the order of this list to determine priority for merging assets. If an asset exists in multiple source files as a single value or exists multiple times in the same source file, this ranking is the weighted order for merging them.
What's interesting is - the only field that's part of the search is the dest_ip field, so I guess I'd expect it to just pull from that field regardless of ranking.
Also, from what I can see, the field that exists in the assets list is called 'ip'. Could there another piece to the equation that's successfully mapping the src/dest fields to this 'ip' field but not the src_ip/dest_ip fields?
Oh! Sorry, I thought I saw "merging" assets. My answer might not apply to your question 🙂