Add priority to systems and setup alerts for criti...

spj2 · ‎11-06-2013

Hi,

I am trying to find automatic way of adding asset priority (Critical, High etc.) based on IP address and/or hostname in the Splunk Enterprise app so that I can setup alerts and prioritize investigations on these. I know that Splunk PCI Compliance app does that but we don't have it. I have searched the forum too, but haven't found anything.

Does anyone know of a way to achieve this?

Thanks in advance.

SPJ

spj2 · ‎11-07-2013

Thanks it works with a slight modification:

yoursearchhere
| lookup assetLookup assetId as src_ip OUTPUT priority
| stats count by priority

yoursearchhere
| lookup assetLookup assetId as host OUTPUT priority
| where priority="High" OR priority="Critical"

lguinn2 · ‎11-06-2013

I suggest using a lookup table. Your CSV file might look like this

AssetList.csv

assetId,priority
192.168.15.22,Medium
fileserver01,Low

Here is the Splunk tutorial Use field lookups In my examples below, I assume that you have uploaded the AssetList.csv file and created a lookup called assetLookup.

Ultimately, you should be able to do something like this:

yoursearchhere
| lookup assetLookup src_ip as assetId OUTPUT priority
| stats count by priority

yoursearchhere
| lookup assetLookup host as assetId OUTPUT priority
| where priority="High" OR priority="Critical"

Add priority to systems and setup alerts for critical systems

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?