Splunk® Enterprise Security

Installation and Upgrade Manual

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Configure lists and lookups

To configure or edit the lists or lookup files used with the Splunk App for Enterprise Security, click Lists and Lookups on the Data Enrichment panel.

Es-Config data enrichment.png

Use Lists and Lookups to view and edit the default lists and lookups in Enterprise Security.

Es lookup files 3-0.png

Click the name of a list to view or edit it. Click Export to export a copy of the file in CSV format.

Internal lookups

Internal lookups are used by Splunk App for Enterprise Security to generate information to drive dashboards or create notable events.

These lookups are created in three ways:

  • Populated by a static lookup table
  • Populated internally by search commands
  • Populated with information from the Internet

Splunk App for Enterprise Security is distributed with lookup files containing open-source information from the Internet. These lookups are used by some of the correlation searches that identify hosts that are recognized as malicious or suspicious according to various online sources (such as SANS). When an Internet connection is unavailable, these files will not be updated. If these lists are not updated, the correlation searches that rely on them may not function correctly.

Note: Many of these lookups can now be updated using the lookup editor, so file system access is not necessarily required.

See the list of Threat sources included with Enterprise Security in the Installation and Upgrade Manual.

These lookups are primarily intended for smaller deployments that do not have Intrusion Detection Systems or filtering web proxies but may also be useful for larger networks as well.

Lists and lookups editor

Go to Configure > Lists and Lookups to view the list of current lookup files. Click on a file name to open that lookup file in the lookup editor.

ES listsandlookups editor.png

The name of the CSV file is shown in the upper left-hand corner of the panel, assets.csv in this example. The lookup fields are shown at the top of the table, the values for the fields are displayed in the rows below that. Positive numbers are in green, negative numbers are shown in red. The priority values in this file are color-coded. Each CSV file will look slightly different depending on the fields it contains.

Enable lookup edit

To edit a lookup file, the local.meta file -- in the app where the lookup file resides -- must be modified, .

For instance, to edit expected_views.csv in SA-AuditAndDataProtection ($SPLUNK_HOME/etc/apps/SA-AuditAndDataProtection/metadata/local.meta/), add the following stanza to the local.meta file:

[lookups]
access = read : [ * ], write : [ admin,user ]

Edit lookup content

A drop-down, context-sensitive menu is available when you right-click in the lookup table. Use the menu to add columns or rows to the file.

Note: You cannot save a lookup file that contains empty header fields.

  • To change a value in a cell, select the cell and type in the new value.
  • To add a new value to the file, right-click on the table and select Insert a row... from the drop-down options.

Click Save when you are done. Cancel returns you to the list of lookups.

Note: If you edit a file that does not exist, a warning message alerts you that the file does not exist.

Importing lookup files

An admin may import new CSV files to support new functions and data enrichment in the application.

To do this:

  1. Go to Settings > Knowledge > Lookups > Lookup table files.
  2. Click New. Be sure the Destination app is set to SplunkEnterpriseSecuritySuite.
  3. Browse to the file location and select the file to import.
  4. Enter a Destination filename to be displayed in the lookup list.
  5. Click Save.

To be sure that the new information is available to others, change the file permissions from "Private" to "App" or "Global". This moves the CSV file out of the user's folder so that it is be seen by searches, upgrade events, and other users.

  1. Click Permissions next to the newly imported CSV file.
  2. Select the appropriate level and type of permissions for this file. Use permissions to set access to for just this app ("App"), or all apps in this Splunk instance ("Global").
  3. Click Save.

ES lookup permissions 3-0.png

Verify lookup files

Lookup files must be updated or replaced using the Lists and Lookups editor or directly on the file-system of the search head. After being modified, the lookup list in Splunk will automatically accept the changes (no restart is required).

To import and edit CSV files, see the "Lists and lookups editor" topic for details.

After editing the file, make sure that the contents can be loaded correctly by using the inputlookup search command to display the list. Use the name given as the Lookup Definition for the file as listed in the table in "Create user-populated lists".

For example:

inputlookup append=T application_protocol_lookup

Note: The CSV files used as lookups must be created with Unix-style line endings ("\n"). Splunk will not correctly read lookup files saved using Macintosh ("\r") or Windows line endings ("\r\n"). See the User Manual FAQ for more information.

Application Protocols

The Application Protocols list is a list of port/protocol combinations and their approval status in the organization. This list is used to drive the Port & Protocol Tracker dashboard. The Application Protocols list can be found in the following location on the search head:

$SPLUNK_HOME/etc/apps/SA-NetworkProtection/lookups/application_protocols.csv

The following table shows the fields in this file:

Field Description
dest_port The destination port number (must be 0-65535)
transport The protocol of the network traffic (icmp, tcp, udp).
app application name
status The approval status of the port (approved, pending, unapproved). By default, the port is considered approved.

Assets

The Assets lookup contains information about the assets associated with this deployment. This list of assets will be matched to incoming events. See "Create your asset list" in this manual for information on configuring your asset list.

Categories

Categories lists the categories that apply to both assets and identities.

The Categories file can be found in the following location on the search head:

$SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups/categories.csv

The following table shows the fields in this file:

Field Description
category Category
cardholder card holder name
"email_servers" email servers
hipaa HIPAA
intern Is this an intern
iso27002 Complies with ISO27002
nerc Complies with NERC
officer Is this an officer
pci PCI
pip Complies with PIP
sox Complies with SOX
splunk Splunk data
oracle Oracle data
virtual

Expected Views

The Expected Views list specifies Enterprise Security views that should be monitored on a regular basis and is used by the View Auditing dashboard (Audit > View Auditing).

The Expected Views list can be found in the following location on the search head:

 $SPLUNK_HOME/etc/apps/SA-AuditAndDataProtection/lookups/expected_views.csv

The following table shows the fields in this file:

Field Description
app The application that contains the view (SplunkEnterpriseSecuritySuite in this case)
is_expected Either "true" or "false". By default, Enterprise Security assumed activity is not expected so you do not need any entries that include "false".
view The name of the view; this is available in the URL.

To find the name of a view:

  1. Navigate to the view in Enterprise Security
  2. Look at the last segment of the URL to find the view name

For example, the view in the URL below is named incident_review:

Ess-incidentReviewURL.png

Identities

The Identities lookup contains a list of identities that will be matched to incoming events. See "Create your identity list" in this manual for information on setting up your identity list.

Interesting Ports

Interesting Ports contains a list of TCP and UDP ports determined to be required, prohibited, or insecure in your deployment. Solutions administrators should set a policy defining the allowed and disallowed ports.

  1. Review the Interesting Ports list.
  2. Edit the list, changing the fields and adding new entries based upon the policy definition.
  3. Enable the correlation search that will trigger an alert.

Interesting Ports list lookup fields

The list can be found under Configure > Data Enrichment > Lists and Lookups. Choose the Interesting Ports list. In the Lookup editor, the lookup file interesting_ports.csv is displayed. The first line in the file is the header that describes the fields in the file.

Field Description Example
app The application or service name Win32Time
dest The destination host for the network service. Accepts a wildcard. DARTH*, 10.10.1.100, my_host, etc. Using just a wildcard * will match all hosts.
dest_pci_domain An optional PCI Domain. Accepts a wildcard. trust, untrust, etc.
dest_port The destination port number. Accepts a wildcard. 443, 3389, 5900, etc.
transport The transport protocol. Accepts a wildcard. tcp or udp
is_required Is the service required to be running? Alert if not present. true or false
is_prohibited Is the service/traffic/port prohibited from running? Alert if present. true or false
is_secure Is the service traffic encrypted? true or false
note A brief description of the service and use-case Unencrypted telnet services are insecure.

Add to, or modify this list using the editor. Click Save when you are done.

  • Use a search to review the user and time the lookup file was edited. Example: index=_internal uri_path="/splunk-es/en-US/app/SplunkEnterpriseSecuritySuite/ess_lookups_edit"
  • A lookup will not accept regular expressions.

Interesting Processes

Interesting Processes contains a list of processes. This list is used to determine whether a process is required, prohibited, and/or secure. Use the List and Lookup editor to modify or add to this list. The Interesting Processes file can be found in the following location on the search head:

$SPLUNK_HOME/etc/apps/SA-EndpointProtection/lookups/interesting_processes.csv

The following table shows the fields in this file:

Column Description
app application name
dest destination of process
dest_pci_domain PCI domain, if available
is_required true or false
is_prohibited true or false
is_secure true or false
note Any additional information about this process

Interesting Services

Interesting Services contains a list of services in your deployment. This list is used to determine whether a service is required, prohibited, and/or secure. Use the List and Lookup editor to modify or add to this list. The Interesting Services file can be found in the following location on the search head:

$SPLUNK_HOME/etc/apps/SA-EndpointProtection/lookups/interesting_services.csv

The following table shows the fields in this file:

Column Description
app application name
dest destination of process
dest_pci_domain PCI domain, if available
is_required true or false
is_prohibited true or false
is_secure true or false
note Any additional information about this process

Primary Functions

Primary Functions contains a list of primary processes and services, and their function in your deployment. Use this list to designate which services are primary and the port and transport to use. The Primary Functions file can be found in the following location on the search head:

$SPLUNK_HOME/etc/apps/SA-EndpointProtection/lookups/primary_functions.csv

The following table shows the fields in this file:

Column Description
process name of process
service name of service
dest_pci_domain PCI domain, if available
transport tcp or udp
port port number
is_primary true or false
function function of this process (for example, Proxy, Authentication, Database, Domain Name Service (DNS), Web, Mail)

Prohibited Traffic

Prohibited Traffic lists processes that will generate an alert if they are detected. This list is used by the System Center dashboard and is useful for detecting software that has been prohibited by the security policy (such as IRC or data destruction tools) or for software that is known to be malicious (such as malware that was recently implicated in an outbreak).

The Prohibited Traffic file can be found in the following location on the search head:

$SPLUNK_HOME/etc/apps/SA-NetworkProtection/lookups/prohibited_traffic.csv

The following table shows the fields in this file:

Field Description
app The name of the process (such as echo, chargen, etc.)
is_prohibited Either "true" or "false"
note A text description of why the process is rejected

Urgency Levels

Urgency Levels contains a list of the combinations of priority and severity levels that dictate the urgency of notable events. Use the List and Lookup editor to modify or add to this list. The Urgency Levels file can be found in the following location on the search head:

$SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/lookups/urgency.csv

ES-urgency csv edit.png

The following table shows the fields in this file:

Field Description
severity unknown, informational, low, medium, high, critical
priority unknown, informational, low, medium, high, critical
urgency unknown, informational, low, medium, high, critical
PREVIOUS
Identity Management
  NEXT
Configure threat intelligence sources

This documentation applies to the following versions of Splunk® Enterprise Security: 3.1, 3.1.1, 3.2, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 3.3.2, 3.3.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters