Identify assets in your environment
Asset data refers to information about the devices that are owned by your company. Splunk UBA ingests asset data from Splunk Enterprise daily using asset lookup queries. Splunk UBA uses this predefined device information in the following ways:
- An in-memory cache is used to store some of the asset lookup results, which are used by Splunk UBA to perform device resolution. See Device resolution in Splunk UBA in Use Splunk User Behavior Analytics for more information about how Splunk UBA uses asset data to resolve device names.
- Blacklist devices such as domain controllers, exchange servers, file servers, print servers or proxy servers that are not associated with a specific user.
- Display additional metadata for devices in the system.
You can update the asset data information in Splunk UBA using one of the following methods:
- Perform asset identification by using the Splunk Assets data source to perform queries against the Splunk platform.
- Perform asset identification by using a CSV file when you are unable to perform direct searches on the Splunk platform.
Prerequisites for performing asset identification
You must perform asset identification after HR data is loaded into Splunk UBA, but before any event data is loaded.
In addition, verify the following on Splunk Enterprise:
- The
ldapsearch
command must be available and capable of accessing the LDAP server. Theldapsearch
command is used to retrieve domain controller information.Splunk UBA cannot obtain domain controller information in Splunk Cloud environments.
- If you have Splunk Enterprise Security (ES), the asset table must be reachable through Splunk Enterprise. Access to the asset table is required to access the asset database.
- References to indexes and sources of Windows Security events in Splunk Enterprise must be available. The indexes and sources are required to access proxy information.
Not all data at your site might be properly processed. In some cases, you may receive an error message in Splunk UBA, and in others, only in the log file.
Asset data fields
Assets in Splunk UBA can be searched using the fields below.
Field | Data Type | Description | Example |
---|---|---|---|
hostname | string | Required. The hostname of the device. | server1 |
blackListDeviceIr | boolean | Recommended. Indicates whether or not any IP addresses are associated with the MAC address for this device. Set to true to prevent any IP addresses from being associated with the MAC address for this device. See Exclude identity resolution for devices or users. |
false |
blackListUserIr | boolean | Recommended. Indicates whether or not any users are associated with this device. Set to true to prevent any users from being associated with this device. See Exclude identity resolution for devices or users. |
false |
app | string | The application name. | Database |
asset_tag | string | The asset ID on the physical asset tag such as a sticker that is typically placed on each device in your organization. | 123456 |
bunit | string | The business unit that the device belongs to. | EMEA, NorCal |
city | string | The city where the device is located. | Chicago |
cost_center | string | The cost center that the device belongs to. | SP01FIN |
country | string | The country where the device is located. | USA |
created_by | string | The name of the user who created the device in the system. | DevOps |
department | string | The department that the device belongs to. | Field Reps, ITS, Products, HR |
deviceType | string | The type of device. | client |
dns_domain | string | The domain of the device. | www.acmetech.org |
dns | string | The FQDN of the device. | server1.corp1.acmetech.org |
ip | array | The IP address of the device. The field may contain multiple values. See Configure asset ingestion for multi-valued fields. | 2.1.1.1 |
is_expected | boolean | Indicates whether or not this device is always expected. Alerts are generated if this device stops reporting events. | true |
latitude | string | The latitude location of the device. | 37.780080 |
longitude | string | The longitude location of the device. | -122.420170 |
mac | array | The MAC address of the device. The field may contain multiple values. See Configure asset ingestion for multi-valued fields. | 00:50:ef:84:f1:21|00:50:ef:84:f1:20 |
managed_by | string | The manager of the device. | admin |
os | string | The operating system running on the device. | macOS, WIndows |
os_domain | string | The OS domain of the device. | Windows |
owner | string | The owner of the device. | f.prefect@acmetech.org, DevOps, Bill |
pci_domain | string | The PCI address domain of the device. | dmz, untrust |
serial | string | The serial number of the device. | AB1C24D5EFGH |
status | string | The hexadecimal Windows status code for the device. | 0XC0000234 (user is currently locked out) |
substatus | string | The hexadecimal sub-status code for the device. | 0XC000006D (invalid username or authentication) |
sys_created_on | timestamp | The date and time stamp of when the device was first entered into the system. The format is MM/DD/YYYY . |
05/01/2019 |
sys_updated_on | timestamp | The data and time stamp of the last time the device was updated. For example, a laptop may be assigned to a new owner. The format is MM/DD/YYYY . |
05/01/2019 |
Configure asset ingestion for multivalue fields
Some assets can have multiple values in a field, such as multiple IP addresses or MAC addresses. Splunk UBA creates separate devices for each IP address or MAC address if the addresses are separate by commas, as shown in the following example:
192.168.10.10,192.168.10.20,192.168.10.30
For data sources such as Splunk Enterprise Security (ES) that use a delimiter other than a comma, update the attribution.keyvalue.delimiter
property in the uba-site.properties
file to specify the desired delimiter. For example, to specify that multiple IP and MAC addresses are separated using a pipe (|
) character instead of a comma:
attribution.keyvalue.delimiter=Device.ip=\\|,Device.mac=\\|
Device.ip
describes theip
attribute ofDevice
attribution and is case-sensitive.Device.mac
describesMac
attribute ofDevice
attribution and is case-sensitive.\\|
represents the regex of the desired delimiter.
This example takes the IP addresses 192.168.10.10|192.168.10.20|192.168.10.30
and stores them as follows in Splunk UBA:
{192.168.10.10,192.168.10.20,192.168.10.30}
Remove or comment out the attribution.keyvalue.delimiter
property to use a comma as the delimiter for multivalue fields.
Synchronize your Splunk UBA cluster after making any changes to your uba-site.properties
file:
/opt/caspida/bin/Caspida sync-cluster /etc/caspida/local/conf
Perform asset identification by using the Splunk Assets data source
After you meet the requirements for performing asset identification, you can begin asset identification by using the Splunk Assets data source.
Perform the following tasks to perform asset identification in Splunk UBA:
- Configure a Splunk Assets data source.
- Perform an LDAP query to obtain assets data from the Splunk platform.
- Modify the Splunk UBA asset configuration files.
Configure a Splunk Assets data source
Configure a Splunk Assets data source in Splunk UBA.
- In Splunk UBA, select Manage > Data Sources.
- Click New Data Source.
- Scroll down to the Device Attribution section, select Splunk Assets, and then click Next.
- Enter the connection details to the Splunk platform (name, URL, and authentication credentials), and then click Next. If you are connecting to Splunk ES, specify the Splunk ES search head as the URL of the data source.
- Specify the query frequency and search string to get
WinEventSecurity
data for proxy identification. The frequency interval begins when the data source is configured. For example, if you finish configuring the data source at 3:30PM and you select Daily as the frequency, Splunk UBA refreshes the asset data each day at 3:30PM. The query can only containsourcetype
and Splunk indexes. For example:index=main sourcetype=WinEventLog:Security
- Click OK.
Perform an LDAP query to obtain assets data from the Splunk platform
After you create a Splunk Assets data source, perform an LDAP query to create a lookup CSV file.
Use the following example as a guideline, and replace the commands and transformations as needed for your environment:
- Create an LDAP query such as the one below and run it on Splunk Enterprise. The query will create a CSV file that will be used later.
Be sure to replace| ldapsearch domain=<domain-name> search="(&(objectCategory=computer)(sAMAccountName=*))" attrs="accountExpires,cn,countryCode,dNSHostName,department,description,distinguishedName, division,isCriticalSystemObject,lastLogoff,lastLogon,lastLogonTimestamp,localPolicyFlags, logonCount,name,objectCategory,objectGUID,objectSid,operatingSystem,operatingSystemVersion, primaryGroupID,pwdLastSet,sAMAccountName,sAMAccountType,userAccountControl, whenChanged,whenCreated" | outputlookup uba_ldapsearch_computers.csv
<domain-name>
with an appropriate domain name for your environment. - Schedule the LDAP query as a job to run every night around 10:00 PM local time. See Scheduling searches in the Splunk Enterprise Search Manual.
Modify the Splunk UBA asset configuration files
Modify the Splunk UBA asset configuration files to use the lookup CSV file you created earlier.
- Make local copies of the existing asset configuration files and put them in the
/etc/caspida/local/conf
folder:cp -a /etc/caspida/conf/asset_* /etc/caspida/local/conf/.
- Replace the contents
/etc/caspida/local/conf/asset_dc_query.txt
and add a lookup query such as the one below:| inputlookup uba_ldapsearch_computers.csv | fields - _raw | rex max_match=0 field=distinguishedName ".*?OU=(?<groups>[^,=]+),.*?" | eval deviceType=mvjoin(groups, " - ") | rename name as hostname, dNSHostName as dns, operatingSystem as os, countryCode as country, whenCreated as sys_created_on, whenChanged as sys_updated_on | eval blackListUserIr=IF((lower(deviceType)="domain controllers" OR like(lower(deviceType), "%prox%") OR like(lower(deviceType), "%exch%") OR like(lower(deviceType), "%dns%") OR lower(deviceType)="azurecoread"),"true","false") | table accountExpires,blackListUserIr,cn,country,department,description,deviceType, distinguishedName,division,dns,hostname,isCriticalSystemObject,lastLogoff,lastLogon, lastLogonTimestamp,localPolicyFlags,logonCount,objectCategory,objectGUID,objectSid, operatingSystemVersion,os,primaryGroupID,pwdLastSet,sAMAccountName,sAMAccountType, sys_updated_on,sys_created_on,userAccountControl
- Update the
/etc/caspida/local/conf/asset_es_pull_query.txt
and/etc/caspida/local/conf/asset_proxy_query.txt
files with valid queries that return no results. For example:| inputlookup uba_ldapsearch_computers.csv | search deviceType="abc"
- Run the following command to sync the configuration changes across your deployment.
/opt/caspida/bin/Caspida sync-cluster /etc/caspida/local/conf
- Run the following commands to restart Splunk UBA services:
/opt/caspida/bin/Caspida stop /opt/caspida/bin/Caspida start
Perform asset identification by using a CSV file
Perform asset identification by using a CSV file when you are not able to perform direct searches. Perform the LDAP query to create a lookup CSV file, then use the CSV file in a lookup query.
Use the following example as a guideline, and replace the commands and transformations as needed for your environment:
- Follow the instructions in Configure a Splunk Assets data source to create a Splunk Assets data source.
- Schedule the LDAP query as a job to run every night around 10:00 PM local time. See Scheduling searches in the Splunk Enterprise Search Manual.
- Specify an LDAP query such as the one below and create the CSV file:
Be sure to replace| ldapsearch domain=<domain-name> search="(&(objectCategory=computer)(sAMAccountName=*))" attrs="accountExpires,cn,countryCode,dNSHostName,department,description,distinguishedName, division,isCriticalSystemObject,lastLogoff,lastLogon,lastLogonTimestamp,localPolicyFlags, logonCount,name,objectCategory,objectGUID,objectSid,operatingSystem,operatingSystemVersion, primaryGroupID,pwdLastSet,sAMAccountName,sAMAccountType,userAccountControl, whenChanged,whenCreated" | outputlookup uba_ldapsearch_computers.csv | stats count
<domain-name>
with an appropriate domain name for your environment. - Make local copies of the existing asset configuration files and put them in the
/etc/caspida/local/conf
folder:cp -a /etc/caspida/conf/asset_* /etc/caspida/local/conf/.
- Add a lookup query such as the one below to
/etc/caspida/local/conf/asset_dc_query.txt
:| inputlookup uba_ldapsearch_computers.csv | fields - _raw | rex max_match=0 field=distinguishedName ".*?OU=(?<groups>[^,=]+),.*?" | eval deviceType=mvjoin(groups, " - ") | rename name as hostname, dNSHostName as dns, operatingSystem as os, countryCode as country, whenCreated as sys_created_on, whenChanged as sys_updated_on | eval blackListUserIr=IF((lower(deviceType)="domain controllers" OR like(lower(deviceType), "%prox%") OR like(lower(deviceType), "%exch%") OR like(lower(deviceType), "%dns%") OR lower(deviceType)="azurecoread"),"true","false") | table accountExpires,blackListUserIr,cn,country,department,description,deviceType, distinguishedName,division,dns,hostname,isCriticalSystemObject,lastLogoff,lastLogon, lastLogonTimestamp,localPolicyFlags,logonCount,objectCategory,objectGUID,objectSid, operatingSystemVersion,os,primaryGroupID,pwdLastSet,sAMAccountName,sAMAccountType, sys_updated_on,sys_created_on,userAccountControl
- Update the other two asset configuration files
/etc/caspida/local/conf/asset_es_pull_query.txt
and/etc/caspida/local/conf/asset_proxy_query.txt
with valid queries that return no results. For example:| inputlookup uba_ldapsearch_computers.csv | search deviceType="abc"
View assets in your environment
Select Manage > Assets to view the assets identified in your environment.
Use Add Filter to limit the devices shown on this page.
Make changes to your HR data | Exclude identity resolution for devices or users |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2
Feedback submitted, thanks!