Splunk Enterprise Security

How to use splunk to create a CMDB like table of asset info?

calvinmcelroy
Path Finder

Hello,

 

Our security team has had a need of a asset management tool to keep track of our hardware and software inventory with respect to our security processes and security controls. Our support team already maintains a CMDB but it doesn't do a great job and provides almost no value as a master list or a way to audit for gaps in security control coverage.  Our team deploys a variety of tools that use agents or network discovery scans to give a partial list of asset inventories. When we do comparisons, none of them are complete enough not to have some variance from between different tools. We would like a CMDB that allows us to track our assets and our security control coverage. You cannot secure what you don't know about!

One idea has been to grab asset information from all the tools using custom api input scripts and aggregate it into splunk into one kvstore table. Then we could use this table as a master list. We have the splunk deployment clients and the asset_discovery scan results, but we also have cloud delivered solutions for vuln mgmt, edr, av, mdm, etc. 

I wanted to reach out to the community to see if anybody else has came across this use-case and if there are any resources anybody has to share or guidance to make this idea a reality. 

Labels (3)
Tags (1)
0 Karma

paulcurry
Path Finder

Not sure if you are still looking into this, but I ran into a similar issue and aggregate several searches into Assets.  Either the CMDB is missing items or some other agent has additional information for an asset.  

Very basic instructions:

1. Create search that returns info you want
2. https://docs.splunk.com/Documentation/ES/7.0.1/Admin/Formatassetoridentitylist
for table in search. You may have to rename some fields to match
3. Save As - Report
4. Schedule it
5. Title and description
6. Settings-Lookups-lookup definitions
7. Create new definition
8. Dest App = SA-IdentityManagement
9. name it
10. File-based
11. Lookup file = name of the outputlookup csv you had in search. If it's not in the list manually re-run the saved search.
12. Open Enterprise security app
13. Configure-Data Enrichment-Asset&Identity
14. New Configuration

15. Choose source -- will be the lookup name

16 Save.

 

You are correct in letting Asset and Identity Management manage the merge.  You can set the rank of all of the sources on that page as well.

0 Karma

calvinmcelroy
Path Finder

I forgot to mention, one of the ultimate uses of the master list, would be to leverage it as the primary resources used for Assets in the Assets & Identities framework. It seems like this framework already does this merge for you, but I would also like to have the master list available for other processes. It might be best just to add the individual asset lists, and let ES merge it into the `assets` table.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...