![]() asset_lookup_by_str is for individual assets and their specific attributes. There are two lookups created for assets, asset_lookup_by_str, and asset_lookup_by_cidr. The merging of asset and identity data is facilitated by a set of searches that run automatically at an administrator-defined time interval. The Asset and Identity Management configuration screen has been revised in version 6.0 and can be found by navigating to Configure -> Data Enrichment -> Asset and Identity and on the far left of the screen you can see which lists are ranked in order or precedence. However, other fields, like priority, must be a single value. Some fields, such as category, will merge the values together. That mechanism is to apply a rank to each list. Because it is not uncommon for an asset to exist in multiple lists, Enterprise Security has a mechanism built into it to merge values and choose a single value for certain fields by ensuring that one list takes precedence over another. Obviously, there are more fields, but you get the idea. One list has the mac (MAC Address) field populated, the other has the dns field populated with a fully qualified domain name, however, the devices are categorized differently and their priorities are different. For ease of viewing I pulled them together in a single search here: When I say the same asset, I am referring to a device with one of the four key fields ip, dns, mac or nt_host having the same value in multiple lists.įor example, 10.1.4.99 is in two distinct lists. However, it is important to understand that on occasion, the same asset might be in multiple lookups. This can be quite handy if you are collecting from different sources or different parts of an organization. Have no fear, it is possible to have multiple lookup tables for assets and identities and Enterprise Security will automatically merge them. Steven, you mentioned that you have multiple lists of assets in your organization. Identities have a slightly different set of fields associated with it. The following fields are available to map asset data. These data sources can then be polled on a regular basis to get updated information. Splunk ES can generate a lookup that will store this information. It can come from any number of places including a CMDB, but also Active Directory, LDAP and many more data sources. You may be wondering where the asset and identity data come from, dear reader. The framework is pulling these supporting pieces of information for every system (asset) and user account (identity) that have information for when an analyst reviews events. ![]() In the example below, the host is located in San Francisco, is categorized as an Active Directory and Windows system, it part of the IT business unit and has an IP address of 10.1.1.10. Its goal is to contextualize systems and user accounts and associate them with the events that Splunk is collecting and indexing. ![]() One of the five frameworks that Splunk built into its Enterprise Security (ES) platform is the Asset & Identity framework. Taking this an additional step forward, having this contextualization can also allow an organization to build correlation searches that are specific to certain assets. If an analyst can look at a notable event and understand where an asset is located, who it is owned by, the data classification the system holds within a specific audit boundary, and so on, these contextual clues can help speed decision making. The contextualizing of devices, or assets, as we refer to them at Splunk, is quite important to better understand the output of your SIEM. This is critical to allow analysts to nimbly understand more than just the event they have but the system the event is occuring on. One of the key values that a SIEM must provide is the ability to take events as they occur and correlate them with systems in an organization. Thank you for your note, Steven! I feel like we have heard from you before, but perhaps I am mistaken. They are looking to me for answers! Heaven knows I’m miserable now. ![]() To make matters worse, we have multiple lists of systems from different groups in our organization. They aren’t certain what to prioritize and are always looking at spreadsheets to learn more. Sure, they have a device with the name SW-MX-F1-d2100-DL585 but they can’t tell if it is PCI Compliant or where it is located. They are looking at events but don’t have any idea of the context of the systems referenced. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |