Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What defines an asset priority?

daniel333
Builder
‎10-21-2016 01:52 PM

All,

I am setting up asset center in Splunk ES/PCI. The idea of an Asset priority is sorta vague. Is it left that way on purpose? For me to define?

"Example: Must be one of unknown, informational, low, medium, high, or critical"

Reply

gokadroid
Motivator
‎10-21-2016 08:25 PM

To answer asset priority in simple terms, it means which asset's event will be prioritized if an (similar severity) event occurred at the same time on two assets. Straight from the docs is this:

The priority field (high) is combined with the severity of the search to create the urgency for the notable event.

http://docs.splunk.com/Documentation/PCI/3.2.0/User/AssetManagement#How_asset_fields_are_used

Prioritization. The same type of events on two different systems may not deserve the same level of attention; a medium severity event against a desktop machine is less urgent than the same issue against an externally facing web-server that processes credit card information. Asset management allows an urgency to be computed based on the priority of hosts and assign higher urgency to high priority assets.

http://docs.splunk.com/Documentation/PCI/3.2.0/User/AssetManagement

Reply

kevin8
New Member
‎09-26-2023 11:59 AM

What about the 3rd dimension, risk? Seems fair to make 3 for urgency.

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎10-21-2016 02:01 PM

The severity of the event and the priority of the host are combined to generate the urgency of an event. That is what is built into the system. Users desktop less important than server, which is less important than a critical app server etc... You get to assign your priorities based on what is important to your environment.

http://docs.splunk.com/Documentation/PCI/3.2.0/User/AssetManagement

alt text

Preview file
1 KB
Reply

daniel333
Builder
‎10-21-2016 03:02 PM

Hey, thanks for replying. I guess what I am looking for is what defines an asset priority?

0 Karma
Reply

mshill24
Engager
‎04-03-2018 12:29 PM

I have the same/a similar question: How do you change an Asset's priority? I have a bunch of Assets, but they are all medium priority. I want to start changing the priority of some Assets to High and Critical... How do I do this?

0 Karma
Reply

vr2312
Builder
‎09-04-2023 07:19 PM

You can do that by clicking the Assets and Identity lookups and follow the hyperlink under the source tab. That will redirect it to the contents of the lookup where you can click on the field and edit it.

0 Karma
Reply

gokadroid
Motivator
‎10-21-2016 10:23 PM

Asset priority , if required specifically, as per your comment is defined in answer I have provided.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...