Managing Assets in Splunk Enterprise Security
Author: Ben Marrable
Release Date: 24/03/21
Most Recent Post:
What is Splunk’s Universal Forwarder?
Somerford Blog What is Splunk’s Universal Forwarder? Author: Becca Lambert Release Date: 21/04/2023 SIGN UP TO MAILING LIST The Splunk Universal Forwarder is a streamlined iteration of the Splunk Enterprise software, tailored to facilitate the forwarding of data. Splunk itself serves as a platform, specialising in the exploration, monitoring, and examination of machine-generated data. This
What asset data do we need?
Field | Data Type | Description | Example |
ip | pipe-delimited numbers | A pipe-delimited list of single IP address or IP ranges. An asset is required to have an entry in the ip, mac, nt_host, or dns fields. Do not use pipe-delimiting for more than one of these fields per asset. | 2.0.0.0/8 |1.2.3.4 |192.168.15.9192.169.15.27 |5.6.7.8 |10.11.12.13 |
mac | pipe-delimited strings | A pipe-delimited list of MAC address. An asset is required to have an entry in the ip, mac, nt_host, or dns fields. Do not use pipe-delimiting for more than one of these fields per asset. | 00:25:bc:42:f4:60 |00:50:ef:84:f1:21 |00:50:ef:84:f1:20 |
nt_host | pipe-delimited strings | A pipe-delimited list of Windows machine names. An asset is required to have an entry in the ip, mac, nt_host, or dns fields. Do not use pipe-delimiting for more than one of these fields per asset. | ACME-0005|SSPROCKETS-0102 |COSWCOGS-013 |
dns | pipe-delimited strings | A pipe-delimited list of DNS names. An asset is required to have an entry in the ip, mac, nt_host, or dns fields. Do not use pipe-delimiting for more than one of these fields per asset. | acme-0005.corp1.acmetech.org |SSPROCKETS-0102.spsp.com |COSWCOGS-013.cwcogs.com |
owner | string | The user or department associated with the device | f.prefect@acmetech.org, DevOps, Bill |
priority | string | Recommended. The priority assigned to the device for calculating the Urgency field for notable events on Incident Review. An “unknown” priority reduces the assigned Urgency by default. For more information, see How urgency is assigned to notable events in Splunk Enterprise Security. | unknown, low, medium, high or critical. |
lat | string | The latitude of the asset | 41.040855 |
long | string | The longitude of the asset | 28.986183 |
city | string | The city in which the asset is located | Chicago |
country | string | The country in which the asset is located | USA |
bunit | string | Recommended. The business unit of the asset. Used for filtering by dashboards in Splunk Enterprise Security. | EMEA, NorCal |
category | pipe-delimited strings | Recommended. A pipe-delimited list of logical classifications for assets. Used for asset and identity correlation and categorization. See Asset/Identity Categories. | server|web_farm|cloud |
pci_domain | pipe-delimited strings | A pipe-delimited list of PCI domains. See Configure assets in the Splunk App for PCI Compliance Installation and Configuration Manual. | cardholder, trust|dmz, untrust If left blank, defaults to untrust. |
is_expected | boolean | Indicates whether events from this asset should always be expected. If set to true, the Expected Host Not Reporting correlation search performs an adaptive response action when this asset stops reporting events. | “true”, or blank to indicate “false” |
should_timesync | boolean | Indicates whether this asset must be monitored for time-sync events. It set to true, the Should Timesync Host Not Syncing correlation search performs an adaptive response action if this asset does not report any time-sync events from the past 24 hours. | “true”, or blank to indicate “false” |
should_update | boolean | Indicates whether this asset must be monitored for system update events. | “true”, or blank to indicate “false” |
requires_av | boolean | Indicates whether this asset must have anti-virus software installed. | “true”, or blank to indicate “false” |
How do we gather this information?
| inputlookup raw_assets_from_cmdb.csv
| fields ip, mac, nt_host, dns, owner, priority, lat, long, city, country, bunit, category, pci_domain, is_expected, should_timesync, should_update, requires_av, SystemType
| fillnull value=”” ip, mac, nt_host, dns, owner, priority, lat, long, city, country, bunit, category, pci_domain, is_expected, should_timesync, should_update, requires_av
| eval comment=”Priority Definement”
| eval priority=case(
match(memberOf,”Critical\sPriority\sServers”),”critical”,
match(computerName,”criticalVirtualServer\d*”),”critical”,
match(memberOf,”High\sPriority\sServers”),”high”,
match(nt_host,”server”),”high”,
match(nt_host,”network_device”),”medium”,
match(nt_host,”desktop”),”low”,
match(nt_host,”laptop”),”low”,
1==1,”low”)
| eval comment=”Category Definement”
| makemv delim=”|” category
| eval category=if(match(SystemType,”Server”),mvappend(category,”server”),category)
| eval category=if(match(SystemType,”Desktop”),mvappend(category,”endpoint”),category)
| eval category=if(match(nt_host,”VirtualServer”),mvappend(category,”virtual_machine”),category)
| eval category=mvsort(mvdedup(category))
| eval category=mvjoin(category,”|”)
| eval comment=”Department Possible Values Check”
| eval bunit=case(
bunit=”IT”,”IT”,
bunit=”Information Technology”,”IT”,
bunit=”Legal”,”Legal”,
1==1,””)
| eval pci_domain=””
| eval is_expected=”false”
| eval should_timesync=”true”
| eval should_update=”true”
| eval requires_av=”true”
| lookup asset_locations city, country OUTPUTNEW lat, long
| table ip, mac, nt_host, dns, owner, priority, lat, long, city, country, bunit, category, pci_domain, is_expected, should_timesync, should_update, requires_av
| outputlookup assets_from_cmdb
| inputlookup raw_assets_from_cmdb.csv
| fields ip, mac, nt_host, dns, owner, priority, lat, long, city, country, bunit, category, pci_domain, is_expected, should_timesync, should_update, requires_av, SystemType
| fillnull value=”” ip, mac, nt_host, dns, owner, priority, lat, long, city, country, bunit, category, pci_domain, is_expected, should_timesync, should_update, requires_av
| eval comment=”Priority Definement”
| eval priority=case(
match(memberOf,”Critical\sPriority\sServers”),”critical”,
match(computerName,”criticalVirtualServer\d*”),”critical”,
match(memberOf,”High\sPriority\sServers”),”high”,
match(nt_host,”server”),”high”,
match(nt_host,”network_device”),”medium”,
match(nt_host,”desktop”),”low”,
match(nt_host,”laptop”),”low”,
1==1,”low”)
| eval comment=”Category Definement”
| makemv delim=”|” category
| eval category=if(match(SystemType,”Server”),mvappend(category,”server”),category)
| eval category=if(match(SystemType,”Desktop”),mvappend(category,”endpoint”),category)
| eval category=if(match(nt_host,”VirtualServer”),mvappend(category,”virtual_machine”),category)
| eval category=mvsort(mvdedup(category))
| eval category=mvjoin(category,”|”)
| eval comment=”Department Possible Values Check”
| eval bunit=case(
bunit=”IT”,”IT”,
bunit=”Information Technology”,”IT”,
bunit=”Legal”,”Legal”,
1==1,””)
| eval pci_domain=””
| eval is_expected=”false”
| eval should_timesync=”true”
| eval should_update=”true”
| eval requires_av=”true”
| lookup asset_locations city, country OUTPUTNEW lat, long
| table ip, mac, nt_host, dns, owner, priority, lat, long, city, country, bunit, category, pci_domain, is_expected, should_timesync, should_update, requires_av
| outputlookup assets_from_cmdb