Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to you populate is_expected, should_timesync, requires_av and should_update in asset lookup in ES ?

damode
Motivator
‎12-10-2020 05:26 AM

Given these fields (is_expected, should_timesync, requires_av and should_update in asset lookup of ES) dont dynamically come from any data source, I am keen to know what methods people use to populate these fields in asset lookup ?

Do you mainly create and maintain a static asset list for such fields ?
Is there any better way or process to create and update this list ?

Any help on this would be highly appreciated. Thanks

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-10-2020 05:40 AM

There's no one way to populate those fields.  Some customers have the values available in a data source.  Others hard-code them in a script.  Keeping a separate list is another way.  It depends on what works best in your environment.

---
If this reply helps you, Karma would be appreciated.
Reply

damode
Motivator
‎12-13-2020 02:05 AM

Thanks for your reply. Could you please give an example of hardcoding those fields in a script ?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-13-2020 11:04 AM

When I wrote "script" I was thinking of the scheduled searches I've used in the past rather than a Python-type of script.

... | eval is_expected = 1, should_timesync=1, requires_av=1, should_update=0
| ...
---
If this reply helps you, Karma would be appreciated.
Reply

nickhills
Ultra Champion
‎12-10-2020 05:37 AM

How you use these fields is determined by your own internal approaches to your assets.

In the past I have also included my own fields like "should_vuln" which calls out in some correlation searches for hosts that have escaped a recent vulnerability scan.

Whilst every environment differs, the general (anticipated) approach is that all systems should update time, os and have malware protection - unless there is a specific use case not to.

For this reason, you can build your asset lookup which sets a default value of "true" for these values and then a smaller lookup which excludes (eval requires_av=false) any systems which you don't expect to run AV.

This means you only have to manage a list of exception assets (maybe with wildcards on hostnames, or specific categories) that should NOT have these flags set which should be a much smaller list to manage

The "is_expected" flag is to help identify rouge or surprise assets that are sending logs. If you have a CMDB providing a "master" list of assets, you can use this as a source to which you `|eval is_expected=true`

If my comment helps, please give it a thumbs up!
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...