Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to you populate is_expected, should_timesync, requires_av and should_update in asset lookup in ES ?

damode
Motivator
‎12-10-2020 05:26 AM

Given these fields (is_expected, should_timesync, requires_av and should_update in asset lookup of ES) dont dynamically come from any data source, I am keen to know what methods people use to populate these fields in asset lookup ?

Do you mainly create and maintain a static asset list for such fields ?
Is there any better way or process to create and update this list ?

Any help on this would be highly appreciated. Thanks

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-10-2020 05:40 AM

There's no one way to populate those fields.  Some customers have the values available in a data source.  Others hard-code them in a script.  Keeping a separate list is another way.  It depends on what works best in your environment.

---
If this reply helps you, Karma would be appreciated.
Reply

damode
Motivator
‎12-13-2020 02:05 AM

Thanks for your reply. Could you please give an example of hardcoding those fields in a script ?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-13-2020 11:04 AM

When I wrote "script" I was thinking of the scheduled searches I've used in the past rather than a Python-type of script.

... | eval is_expected = 1, should_timesync=1, requires_av=1, should_update=0
| ...
---
If this reply helps you, Karma would be appreciated.
Reply

nickhills
Ultra Champion
‎12-10-2020 05:37 AM

How you use these fields is determined by your own internal approaches to your assets.

In the past I have also included my own fields like "should_vuln" which calls out in some correlation searches for hosts that have escaped a recent vulnerability scan.

Whilst every environment differs, the general (anticipated) approach is that all systems should update time, os and have malware protection - unless there is a specific use case not to.

For this reason, you can build your asset lookup which sets a default value of "true" for these values and then a smaller lookup which excludes (eval requires_av=false) any systems which you don't expect to run AV.

This means you only have to manage a list of exception assets (maybe with wildcards on hostnames, or specific categories) that should NOT have these flags set which should be a much smaller list to manage

The "is_expected" flag is to help identify rouge or surprise assets that are sending logs. If you have a CMDB providing a "master" list of assets, you can use this as a source to which you `|eval is_expected=true`

If my comment helps, please give it a thumbs up!
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...