Given these fields (is_expected, should_timesync, requires_av and should_update in asset lookup of ES) dont dynamically come from any data source, I am keen to know what methods people use to populate these fields in asset lookup ?
Do you mainly create and maintain a static asset list for such fields ?
Is there any better way or process to create and update this list ?
Any help on this would be highly appreciated. Thanks
There's no one way to populate those fields. Some customers have the values available in a data source. Others hard-code them in a script. Keeping a separate list is another way. It depends on what works best in your environment.
Thanks for your reply. Could you please give an example of hardcoding those fields in a script ?
When I wrote "script" I was thinking of the scheduled searches I've used in the past rather than a Python-type of script.
... | eval is_expected = 1, should_timesync=1, requires_av=1, should_update=0
| ...
How you use these fields is determined by your own internal approaches to your assets.
In the past I have also included my own fields like "should_vuln" which calls out in some correlation searches for hosts that have escaped a recent vulnerability scan.
Whilst every environment differs, the general (anticipated) approach is that all systems should update time, os and have malware protection - unless there is a specific use case not to.
For this reason, you can build your asset lookup which sets a default value of "true" for these values and then a smaller lookup which excludes (eval requires_av=false) any systems which you don't expect to run AV.
This means you only have to manage a list of exception assets (maybe with wildcards on hostnames, or specific categories) that should NOT have these flags set which should be a much smaller list to manage
The "is_expected" flag is to help identify rouge or surprise assets that are sending logs. If you have a CMDB providing a "master" list of assets, you can use this as a source to which you `|eval is_expected=true`