Set up directories for Splunk Asset and Risk Intelligence
Splunk Asset and Risk Intelligence includes 2 internal data sources for enrichment: a company subnet directory and a company user directory. Populate these directories to locate assets on internal networks and provide context on user IDs.
Populate the company subnet directory
You can incorporate location data from your company into Splunk Asset and Risk Intelligence if you have a subnet listing. Populating a company subnet directory is optional, but you might want to use one to identify asset locations.
To populate the company subnet directory, complete the following steps:
- Select Admin then Data enrichment and then Company subnet directory.
- Update the subnet listing by uploading a CSV file or by entering a Splunk search. Follow the steps for your preferred method:
Method | Steps |
---|---|
Upload a CSV file |
The maximum upload size limit is 5mb. Upload larger files or files containing fields with different names using the Splunk lookup functionality. |
Enter a Splunk search |
|
After you populate the company subnet directory, you can manually add entries by selecting the add icon ( ), and you can edit, clone, or remove entries using the actions icons.
Required subnet listing fields
The subnet listing must contain the following fields:
Field | Value |
---|---|
subnet | Subnet and mask. For example, 10.10.10.10/24. |
zone | Subnet IP zone of the entry. |
location_id | Any location ID used by the business. |
description | Description of the subnet entry. |
provider | Name of a provider. For example, AWS. |
city | City name for the entry. |
state | 2-digit U.S. state or Canadian province. For example, "ON". |
country | 2-digit country code. For example, "US". |
region | Region. For example, "AMER" or "EMEA". |
type | Subnet type of the entry. |
vlan | Subnet virtual LAN of the entry. |
Some fields can have null values, but the fields must be included in the lookup table header. Don't change null values to "unknown" or something similar.
Add IP zones to the company subnet directory
With IP zones, you can differentiate network areas for the same IP address. For example, if a company acquires another company, you might want to specify a zone for each subnet entry.
To use IP zones, you must identify an IP zone for each entry in the company subnet directory and also for each data source you add to Splunk Asset and Risk Intelligence.
By default, each subnet entry has a zone value of default, and each data source has an ip_zone value of default. If you don't want to use IP zones, you don't need to edit these values.
To add a new IP zone in the company subnet directory, complete the following steps:
- Select Admin then Data enrichment and then Company subnet directory.
- Select the add icon (+) to add a subnet entry with the new IP zone to your company subnet directory.
- Enter a new name for the IP zone.
- Select Add.
- Select the add icon (+) to add additional subnet entries with the new IP zone.
You can't edit the IP zone for existing subnet entries.
After you add IP zones to your company subnet directory, make sure to also identify IP zones for each data source you add. See Data source field mapping reference.
Populate the company user directory
You must populate the company user directory to store asset context such as user IDs and email addresses.
To populate the company user directory, complete the following steps:
- Select Admin then Data enrichment and then Company user directory.
- Update the user listing by uploading a CSV file or by entering a Splunk search. Follow the steps for your preferred method:
Method | Steps |
---|---|
Upload a CSV file |
The maximum upload size limit is 5mb. Upload larger files or files containing fields with different names using the Splunk lookup functionality. |
Enter a Splunk search |
|
After you populate the company user directory, you can manually add entries by selecting the add icon ( ), and you can edit, clone, or remove entries using the actions icons.
Required user listing fields
The user directory listing must contain the following fields:
Field | Value |
---|---|
user_id | The username for the listing. |
user_first | First name of the user. |
user_last | Last name of the user. |
user_category | Category of the user. For example, "contractor" or "employee". |
user_email | Email address of the user. |
user_title | The job title of the user. |
user_business | Business of the user. |
user_bunit | Business unit of the user. |
user_city | City where the user is based. |
user_state | 2-digit U.S. state or Canadian province where the user is based. For example, "ON". |
user_country | 2-digit country code where the user is based. For example, "US". |
user_location_id | Location ID used by the business to identify a company location. |
user_priority | The priority of the user. For example, an executive might be "high" priority. |
user_start_date | The date the user started at the company. |
user_end_date | The date the user left the company. |
Some fields can have null values, but the fields must be included in the lookup table header. Don't change null values to "unknown" or something similar.
Splunk Asset and Risk Intelligence onboarding guide for admins | Manage enrichment rules in Splunk Asset and Risk Intelligence |
This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.0.0, 1.0.1, 1.0.2
Feedback submitted, thanks!