Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to you populate is_expected, should_timesync, requires_av and should_update in asset lookup in ES ?

damode
Motivator
‎12-10-2020 05:26 AM

Given these fields (is_expected, should_timesync, requires_av and should_update in asset lookup of ES) dont dynamically come from any data source, I am keen to know what methods people use to populate these fields in asset lookup ?

Do you mainly create and maintain a static asset list for such fields ?
Is there any better way or process to create and update this list ?

Any help on this would be highly appreciated. Thanks

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-10-2020 05:40 AM

There's no one way to populate those fields.  Some customers have the values available in a data source.  Others hard-code them in a script.  Keeping a separate list is another way.  It depends on what works best in your environment.

---
If this reply helps you, Karma would be appreciated.
Reply

damode
Motivator
‎12-13-2020 02:05 AM

Thanks for your reply. Could you please give an example of hardcoding those fields in a script ?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-13-2020 11:04 AM

When I wrote "script" I was thinking of the scheduled searches I've used in the past rather than a Python-type of script.

... | eval is_expected = 1, should_timesync=1, requires_av=1, should_update=0
| ...
---
If this reply helps you, Karma would be appreciated.
Reply

nickhills
Ultra Champion
‎12-10-2020 05:37 AM

How you use these fields is determined by your own internal approaches to your assets.

In the past I have also included my own fields like "should_vuln" which calls out in some correlation searches for hosts that have escaped a recent vulnerability scan.

Whilst every environment differs, the general (anticipated) approach is that all systems should update time, os and have malware protection - unless there is a specific use case not to.

For this reason, you can build your asset lookup which sets a default value of "true" for these values and then a smaller lookup which excludes (eval requires_av=false) any systems which you don't expect to run AV.

This means you only have to manage a list of exception assets (maybe with wildcards on hostnames, or specific categories) that should NOT have these flags set which should be a much smaller list to manage

The "is_expected" flag is to help identify rouge or surprise assets that are sending logs. If you have a CMDB providing a "master" list of assets, you can use this as a source to which you `|eval is_expected=true`

If my comment helps, please give it a thumbs up!
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...