Splunk Enterprise Security

How to use splunk to create a CMDB like table of asset info?

calvinmcelroy
Path Finder

Hello,

 

Our security team has had a need of a asset management tool to keep track of our hardware and software inventory with respect to our security processes and security controls. Our support team already maintains a CMDB but it doesn't do a great job and provides almost no value as a master list or a way to audit for gaps in security control coverage.  Our team deploys a variety of tools that use agents or network discovery scans to give a partial list of asset inventories. When we do comparisons, none of them are complete enough not to have some variance from between different tools. We would like a CMDB that allows us to track our assets and our security control coverage. You cannot secure what you don't know about!

One idea has been to grab asset information from all the tools using custom api input scripts and aggregate it into splunk into one kvstore table. Then we could use this table as a master list. We have the splunk deployment clients and the asset_discovery scan results, but we also have cloud delivered solutions for vuln mgmt, edr, av, mdm, etc. 

I wanted to reach out to the community to see if anybody else has came across this use-case and if there are any resources anybody has to share or guidance to make this idea a reality. 

Labels (3)
Tags (1)
0 Karma

paulcurry
Path Finder

Not sure if you are still looking into this, but I ran into a similar issue and aggregate several searches into Assets.  Either the CMDB is missing items or some other agent has additional information for an asset.  

Very basic instructions:

1. Create search that returns info you want
2. https://docs.splunk.com/Documentation/ES/7.0.1/Admin/Formatassetoridentitylist
for table in search. You may have to rename some fields to match
3. Save As - Report
4. Schedule it
5. Title and description
6. Settings-Lookups-lookup definitions
7. Create new definition
8. Dest App = SA-IdentityManagement
9. name it
10. File-based
11. Lookup file = name of the outputlookup csv you had in search. If it's not in the list manually re-run the saved search.
12. Open Enterprise security app
13. Configure-Data Enrichment-Asset&Identity
14. New Configuration

15. Choose source -- will be the lookup name

16 Save.

 

You are correct in letting Asset and Identity Management manage the merge.  You can set the rank of all of the sources on that page as well.

0 Karma

calvinmcelroy
Path Finder

I forgot to mention, one of the ultimate uses of the master list, would be to leverage it as the primary resources used for Assets in the Assets & Identities framework. It seems like this framework already does this merge for you, but I would also like to have the master list available for other processes. It might be best just to add the individual asset lists, and let ES merge it into the `assets` table.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...