Splunk Enterprise Security

Splunk Enterprise Security: What is the best way to add details to asset information?

splunker1981
Path Finder

Hello Splunkers,

Can someone provide some guidance on what is the best or recommended method of adding context to asset information? From what I can tell, it can be done via tags, asset lists (asset management), and automatic lookups. What I'm trying to do is add things like who owns a system, what location an IP falls within based on CDIR block, what type of business unit the IP or host falls under, etc. From what I gather, my options are between asset management and automatic lookups. Tags seem like they would be hard to maintain. I'd like to be able to search and report on this data within my searches and Splunk Enterprise Security, so I'm not sure if that changes anything. Any pointers would be greatly appreciated.

Cheers.

0 Karma

mdessus_splunk
Splunk Employee
Splunk Employee

Hello,

You're correct, both ways are available.
The asset feature from ES should provide you most of what you need (have a look here if needed: http://docs.splunk.com/Documentation/ES/4.1.0/User/AssetandIdentityCorrelation#Asset_lookup_details ), and you can setup him to be updated automatically from third party sources (like AD or your CMDB).

0 Karma

Richfez
SplunkTrust
SplunkTrust

To add to the answer mdessus gave, you can also do a combination. For instance, if AD (see note 1) has most of the information but you have another system for storing location information, you could pull everything you need from AD and everything you need from the other system, then combine them (see note 2) to get your final asset list.

Note 1) If you use AD, there is a way to speed up your search for asset or identies by about an order of magnitude. An easy way, in fact. I believe Splunk is looking at adding the minor modification to the search in the official docs but it isn't there as of 6.4. If you go this route, after you get it implemented post a new question asking "How can I speed up my LDAP/AD asset list creation" or something like that.

Note 2) How to accomplish this is myriad, but I'd guess it's often have your secondary set of data in a lookup, do a search against your primary location and do the lookup to get your other info, then write the whole mess out to whatever you have set up for your asset list (csv, likely).

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...