Splunk Enterprise Security

Splunk Enterprise Security: What is the best way to add details to asset information?

splunker1981
Path Finder

Hello Splunkers,

Can someone provide some guidance on what is the best or recommended method of adding context to asset information? From what I can tell, it can be done via tags, asset lists (asset management), and automatic lookups. What I'm trying to do is add things like who owns a system, what location an IP falls within based on CDIR block, what type of business unit the IP or host falls under, etc. From what I gather, my options are between asset management and automatic lookups. Tags seem like they would be hard to maintain. I'd like to be able to search and report on this data within my searches and Splunk Enterprise Security, so I'm not sure if that changes anything. Any pointers would be greatly appreciated.

Cheers.

0 Karma

mdessus_splunk
Splunk Employee
Splunk Employee

Hello,

You're correct, both ways are available.
The asset feature from ES should provide you most of what you need (have a look here if needed: http://docs.splunk.com/Documentation/ES/4.1.0/User/AssetandIdentityCorrelation#Asset_lookup_details ), and you can setup him to be updated automatically from third party sources (like AD or your CMDB).

0 Karma

Richfez
SplunkTrust
SplunkTrust

To add to the answer mdessus gave, you can also do a combination. For instance, if AD (see note 1) has most of the information but you have another system for storing location information, you could pull everything you need from AD and everything you need from the other system, then combine them (see note 2) to get your final asset list.

Note 1) If you use AD, there is a way to speed up your search for asset or identies by about an order of magnitude. An easy way, in fact. I believe Splunk is looking at adding the minor modification to the search in the official docs but it isn't there as of 6.4. If you go this route, after you get it implemented post a new question asking "How can I speed up my LDAP/AD asset list creation" or something like that.

Note 2) How to accomplish this is myriad, but I'd guess it's often have your secondary set of data in a lookup, do a search against your primary location and do the lookup to get your other info, then write the whole mess out to whatever you have set up for your asset list (csv, likely).

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...