Somerford Blog

Managing Assets in Splunk Enterprise Security

Author: Ben Marrable
Release Date: 24/03/21

In general, assets tend to be more complex as every environment is different. The first point of call will be whether the business has an up to date CMDB but a lot of the time that’s unfortunately not the case, so alternatives can be spreadsheets, Active Directory, some kind of endpoint management solution logging into Splunk or ultimately a combination of many sources. A good starting point is to build an initial asset list based on the network ranges in the environment to easily distinguish generic network devices etc. These provide the ability to categorise and prioritise devices that we don’t have the exact details for. Once we have the base network assets, we need to look for a more specific lists for servers, endpoints and network devices (firewalls, routers, switches, access points etc.).

Most Recent Post:

Protecting Data Using Artificial Intelligence and Machine Learning

Netskope Presents: Protecting Data Using Artificial Intelligence & Machine Learning As a leader in cloud security, Netskope is at the forefront of developing and integrating the latest AI/ML technology into its data and threat protection capabilities, as well as its business operations. Netskope is committed to assisting organisations in protecting all their sensitive data (both

Field	Data Type	Description	Example
ip	pipe-delimited numbers	A pipe-delimited list of single IP address or IP ranges. An asset is required to have an entry in the ip, mac, nt_host, or dns fields. Do not use pipe-delimiting for more than one of these fields per asset.	2.0.0.0/8 \|1.2.3.4 \|192.168.15.9192.169.15.27 \|5.6.7.8 \|10.11.12.13
mac	pipe-delimited strings	A pipe-delimited list of MAC address. An asset is required to have an entry in the ip, mac, nt_host, or dns fields. Do not use pipe-delimiting for more than one of these fields per asset.	00:25:bc:42:f4:60 \|00:50:ef:84:f1:21 \|00:50:ef:84:f1:20
nt_host	pipe-delimited strings	A pipe-delimited list of Windows machine names. An asset is required to have an entry in the ip, mac, nt_host, or dns fields. Do not use pipe-delimiting for more than one of these fields per asset.	ACME-0005\|SSPROCKETS-0102 \|COSWCOGS-013
dns	pipe-delimited strings	A pipe-delimited list of DNS names. An asset is required to have an entry in the ip, mac, nt_host, or dns fields. Do not use pipe-delimiting for more than one of these fields per asset.	acme-0005.corp1.acmetech.org \|SSPROCKETS-0102.spsp.com \|COSWCOGS-013.cwcogs.com
owner	string	The user or department associated with the device	f.prefect@acmetech.org, DevOps, Bill
priority	string	Recommended. The priority assigned to the device for calculating the Urgency field for notable events on Incident Review. An “unknown” priority reduces the assigned Urgency by default. For more information, see How urgency is assigned to notable events in Splunk Enterprise Security.	unknown, low, medium, high or critical.
lat	string	The latitude of the asset	41.040855
long	string	The longitude of the asset	28.986183
city	string	The city in which the asset is located	Chicago
country	string	The country in which the asset is located	USA
bunit	string	Recommended. The business unit of the asset. Used for filtering by dashboards in Splunk Enterprise Security.	EMEA, NorCal
category	pipe-delimited strings	Recommended. A pipe-delimited list of logical classifications for assets. Used for asset and identity correlation and categorization. See Asset/Identity Categories.	server\|web_farm\|cloud
pci_domain	pipe-delimited strings	A pipe-delimited list of PCI domains. See Configure assets in the Splunk App for PCI Compliance Installation and Configuration Manual.	cardholder, trust\|dmz, untrust If left blank, defaults to untrust.
is_expected	boolean	Indicates whether events from this asset should always be expected. If set to true, the Expected Host Not Reporting correlation search performs an adaptive response action when this asset stops reporting events.	“true”, or blank to indicate “false”
should_timesync	boolean	Indicates whether this asset must be monitored for time-sync events. It set to true, the Should Timesync Host Not Syncing correlation search performs an adaptive response action if this asset does not report any time-sync events from the past 24 hours.	“true”, or blank to indicate “false”
should_update	boolean	Indicates whether this asset must be monitored for system update events.	“true”, or blank to indicate “false”
requires_av	boolean	Indicates whether this asset must have anti-virus software installed.	“true”, or blank to indicate “false”

How do we gather this information?

As I said, the data can tend to come from a collection of sources, CMDB’s, spreadsheets, AD or some form of Splunk data. Here, I’m going to presume we have a csv dump with a variety of fields exported from our CMDB.

| inputlookup raw_assets_from_cmdb.csv

| fields ip, mac, nt_host, dns, owner, priority, lat, long, city, country, bunit, category, pci_domain, is_expected, should_timesync, should_update, requires_av, SystemType

| fillnull value=”” ip, mac, nt_host, dns, owner, priority, lat, long, city, country, bunit, category, pci_domain, is_expected, should_timesync, should_update, requires_av

| eval comment=”Priority Definement”

| eval priority=case(

match(memberOf,”Critical\sPriority\sServers”),”critical”,

match(computerName,”criticalVirtualServer\d*”),”critical”,

match(memberOf,”High\sPriority\sServers”),”high”,

match(nt_host,”server”),”high”,

match(nt_host,”network_device”),”medium”,

match(nt_host,”desktop”),”low”,

match(nt_host,”laptop”),”low”,

1==1,”low”)

| eval comment=”Category Definement”

| makemv delim=”|” category

| eval category=if(match(SystemType,”Server”),mvappend(category,”server”),category)

| eval category=if(match(SystemType,”Desktop”),mvappend(category,”endpoint”),category)

| eval category=if(match(nt_host,”VirtualServer”),mvappend(category,”virtual_machine”),category)

| eval category=mvsort(mvdedup(category))

| eval category=mvjoin(category,”|”)

| eval comment=”Department Possible Values Check”

| eval bunit=case(

bunit=”IT”,”IT”,

bunit=”Information Technology”,”IT”,

bunit=”Legal”,”Legal”,

1==1,””)

| eval pci_domain=””

| eval is_expected=”false”

| eval should_timesync=”true”

| eval should_update=”true”

| eval requires_av=”true”

| lookup asset_locations city, country OUTPUTNEW lat, long

| table ip, mac, nt_host, dns, owner, priority, lat, long, city, country, bunit, category, pci_domain, is_expected, should_timesync, should_update, requires_av

| outputlookup assets_from_cmdb

Let’s break this search down, so we understand each part:

| inputlookup raw_assets_from_cmdb.csv

| fields ip, mac, nt_host, dns, owner, priority, lat, long, city, country, bunit, category, pci_domain, is_expected, should_timesync, should_update, requires_av, SystemType

| fillnull value=”” ip, mac, nt_host, dns, owner, priority, lat, long, city, country, bunit, category, pci_domain, is_expected, should_timesync, should_update, requires_av

This section pulls the csv file and extracts only the fields required so that future calculation statements use less memory and perform better. It then fills all NULL values with an empty string, as certain calculation statements do not apply to NULL values.

| eval comment=”Priority Definement”

| eval priority=case(

match(memberOf,”Critical\sPriority\sServers”),”critical”,

match(computerName,”criticalVirtualServer\d*”),”critical”,

match(memberOf,”High\sPriority\sServers”),”high”,

match(nt_host,”server”),”high”,

match(nt_host,”network_device”),”medium”,

match(nt_host,”desktop”),”low”,

match(nt_host,”laptop”),”low”,

1==1,”low”)

This section is about defining the priority for each Asset, priority is one of the most critical fields to define and to distinguish between Assets. Several attributes can be used to give some definition to the search, using a case statement hitting the highest priorities first. Attributes which are useful here are the OU that the account sits within the domain (which could be found with ldapfilter), groups the account is a member of (ldapgroup) and of course the hostname of the actual system. There may be many other fields within the export, such as description which could help with the priority definement.

| eval comment=”Category Definement”

| makemv delim=”|” category

| eval category=if(match(SystemType,”Server”),mvappend(category,”server”),category)

| eval category=if(match(SystemType,”Desktop”),mvappend(category,”endpoint”),category)

| eval category=if(match(nt_host,”VirtualServer”),mvappend(category,”virtual_machine”),category)

| eval category=mvsort(mvdedup(category))

| eval category=mvjoin(category,”|”)

Next we look at defining some categories, categories are useful for dividing data within Splunk, so we can see items such as the number of failed authentication to physical machines or to servers etc.

| eval comment=”Department Possible Values Check”

| eval bunit=case(

bunit=”IT”,”IT”,

bunit=”Information Technology”,”IT”,

bunit=”Legal”,”Legal”,

1==1,””)

This section looks to combine and clean some data which may be populated badly in the CMDB, restricting to match only certain bunits, as it’s quite common for Assets to have various spelling mistakes and alternative forms of departments within a CMDB list.

| eval pci_domain=””

| eval is_expected=”false”

| eval should_timesync=”true”

| eval should_update=”true”

| eval requires_av=”true”

Additionally we create a blank field for pci_domain as we are not pci relevant, set is_expected to false and the other values to true. It is recommended to calculate these fields wherever possible, using similar methods demonstrated above.

| lookup asset_locations city, country OUTPUTNEW lat, long

Here we poll the city and country held within the CMDB export to pull the latitude and longitude from a lookup containing those details for work locations within the business.

| table ip, mac, nt_host, dns, owner, priority, lat, long, city, country, bunit, category, pci_domain, is_expected, should_timesync, should_update, requires_av

| outputlookup assets_from_cmdb

Finally we output the data into a lookup table file to incorporate into ES.

Cookie	Duration	Description
ADRUM_BT1	past	This cookie is used to optimize the visitor experience on the website by detecting errors on the website and share the information to support staff.
ADRUM_BTa	past	This cookie is used to optimize the visitor experience on the website by detecting errors on the website and share the information to support staff.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_1170872_23	1 minute	Set by Google to distinguish users.
_gat_gtag_UA_99925054_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	16 years 2 months 24 days 11 hours 26 minutes	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
cookie-test	past	No description
cookielawinfo-checkbox-functional	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
guest	1 month 1 hour	No description available.
jcm	past	No description
jcmc	past	No description
JOTFORM_SESSION	1 month	No description available.
SameSite	past	No description available.
theme	1 month 1 hour	No description available.
userReferer	1 month 1 hour	No description available.

Somerford Blog

Managing Assets in Splunk Enterprise Security

Author: Ben Marrable
Release Date: 24/03/21

Most Recent Post:

Protecting Data Using Artificial Intelligence and Machine Learning

What asset data do we need?

How do we gather this information?

Interested in seeing a demo of Enterprise Security & its potential uses for your organisation?

Somerford Blog

Managing Assets in Splunk Enterprise Security

Author: Ben Marrable Release Date: 24/03/21

Most Recent Post:

Protecting Data Using Artificial Intelligence and Machine Learning

What asset data do we need?

How do we gather this information?

Interested in seeing a demo of Enterprise Security & its potential uses for your organisation?​

Author: Ben Marrable
Release Date: 24/03/21

Interested in seeing a demo of Enterprise Security & its potential uses for your organisation?