Splunk® Enterprise Security

Use Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Configure lists and lookups

To configure or edit the lists or lookup files used with the Splunk Enterprise Security, click Lists and Lookups on the Data Enrichment panel.

Es-Config data enrichment.png

Use Lists and Lookups to view and edit the default lists and lookups in Enterprise Security.

Es lookup files 3-0.png

Click the name of a list to view or edit it. Click Export to export a copy of the file in CSV format.

Internal lookups

Internal lookups are used by Enterprise Security to generate information to drive dashboards or create notable events.

These lookups are created in three ways:

  • Populated by a static lookup table
  • Populated internally by search commands
  • Populated with information from the Internet

Splunk Enterprise Security is distributed with lookup files containing open-source information from the Internet. These lookups are used by some of the correlation searches that identify hosts that are recognized as malicious or suspicious according to various online sources (such as SANS). When an Internet connection is unavailable, these files will not be updated. If these lists are not updated, the correlation searches that rely on them may not function correctly.

Note: Many of these lookups can now be updated using the lookup editor, so file system access is not necessarily required.

For the list of pre-configured threat intelligence sources, see the topic Threat sources included with ES in this manual.

Lists and lookups editor

Go to Configure > Lists and Lookups to view the list of current lookup files. Click on a file name to open that lookup file in the lookup editor.

ES listsandlookups editor.png

The name of the CSV file is shown in the upper left-hand corner of the panel, assets.csv in this example. The lookup fields are shown at the top of the table, the values for the fields are displayed in the rows below that. Positive numbers are in green, negative numbers are shown in red. The priority values in this file are color-coded. Each CSV file will look slightly different depending on the fields it contains.

Enable lookup edit

To edit a lookup file, you must modify the local.meta file in the app where the lookup file resides.

For instance, to edit expected_views.csv in SA-AuditAndDataProtection ($SPLUNK_HOME/etc/apps/SA-AuditAndDataProtection/metadata/local.meta/), add the following stanza to the local.meta file:

[lookups]
access = read : [ * ], write : [ admin,user ]

Edit lookup content

A drop-down, context-sensitive menu is available when you right-click in the lookup table. Use the menu to add columns or rows to the file.

Note: You cannot save a lookup file that contains empty header fields.

  • To change a value in a cell, select the cell and type in the new value.
  • To add a new value to the file, right-click on the table and select Insert a row... from the drop-down options.

Click Save when you are done. Cancel returns you to the list of lookups.

Note: If you edit a file that does not exist, a warning message alerts you that the file does not exist.

Importing lookup files

An admin may import new CSV files to support new functions and data enrichment in the application.

To do this:

  1. Go to Settings > Knowledge > Lookups > Lookup table files.
  2. Click New. Be sure the Destination app is set to SplunkEnterpriseSecuritySuite.
  3. Browse to the file location and select the file to import.
  4. Enter a Destination filename to be displayed in the lookup list.
  5. Click Save.

To be sure that the new information is available to others, change the file permissions from "Private" to "App" or "Global". This moves the CSV file out of the user's folder so that it is be seen by searches, upgrade events, and other users.

  1. Click Permissions next to the newly imported CSV file.
  2. Select the appropriate level and type of permissions for this file. Use permissions to set access to for just this app ("App"), or all apps in this Splunk instance ("Global").
  3. Click Save.

ES lookup permissions 3-0.png

Verify lookup files

Lookup files must be updated or replaced using the Lists and Lookups editor or directly on the file-system of the search head. After being modified, the lookup list in Splunk will automatically accept the changes (no restart is required).

To import and edit CSV files, see Lists and lookups editor for details.

After editing the file, make sure that the contents can be loaded correctly by using the inputlookup search command to display the list.

inputlookup append=T application_protocol_lookup

Note: The CSV files used as lookups must be created with Unix-style line endings ("\n"). Splunk will not correctly read lookup files saved using Macintosh ("\r") or Windows line endings ("\r\n").

Application Protocols

The Application Protocols list is a list of port/protocol combinations and their approval status in the organization. This list is used to drive the Port & Protocol Tracker dashboard. The Application Protocols list can be found in the following location on the search head:

$SPLUNK_HOME/etc/apps/SA-NetworkProtection/lookups/application_protocols.csv

The following table shows the fields in this file:

Field Description
dest_port The destination port number (must be 0-65535)
transport The protocol of the network traffic (icmp, tcp, udp).
app application name
status The approval status of the port (approved, pending, unapproved). By default, the port is considered approved.

Assets

The Assets lookup contains information about the assets associated with this deployment. This list of assets will be matched to incoming events. See Adding asset data in this manual for information on configuring your asset list.

Categories

A category is logical classification or grouping used for assets and identities. The category list can contain any set of categories you choose for organizing an asset or an identity. Common choices for assets include compliance and security standards such as PCI, or functional categories such as server and web_farm. Common choices for identities include titles and roles. For additional examples, see Asset lookup fields and Identity lookup fields in this manual.

The Categories list is manually updated by default. To access and update the list, browse to Settings > Data Enrichment > Lists and Lookups and select the Asset/Identity Categories list.

A saved search is available to collect all records in the Category field across both assets and identities, update the list, and populate the lookup. To enable the [Identity - Make Categories - Lookup Gen] saved search, browse to Configure > Content Management, use the search filter to find the applicable search, select the search and choose Action > Enable.

The Categories list is a lookup stored under: $SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups

Expected Views

The Expected Views list specifies Enterprise Security views that should be monitored on a regular basis and is used by the View Auditing dashboard (Audit > View Auditing).

The Expected Views list can be found in the following location on the search head:

 $SPLUNK_HOME/etc/apps/SA-AuditAndDataProtection/lookups/expected_views.csv

The following table shows the fields in this file:

Field Description
app The application that contains the view (SplunkEnterpriseSecuritySuite in this case)
is_expected Either "true" or "false". By default, Enterprise Security assumed activity is not expected so you do not need any entries that include "false".
view The name of the view; this is available in the URL.

To find the name of a view:

  1. Navigate to the view in Enterprise Security
  2. Look at the last segment of the URL to find the view name

For example, the view in the URL below is named incident_review:

Ess-incidentReviewURL.png

Identities

The Identities lookup contains a list of identities that will be matched to incoming events. For information on setting up an identities list, see "Identity Management" in this manual.

Interesting Ports

Interesting Ports contains a list of TCP and UDP ports determined to be required, prohibited, or insecure in your deployment. Solutions administrators should set a policy defining the allowed and disallowed ports.

  1. Review the Interesting Ports list.
  2. Edit the list, changing the fields and adding new entries based upon the policy definition.
  3. Enable the correlation search that will trigger an alert.

Interesting Ports list lookup fields

The list can be found under Configure > Data Enrichment > Lists and Lookups. Choose the Interesting Ports list. In the Lookup editor, the lookup file interesting_ports.csv is displayed. The first line in the file is the header that describes the fields in the file.

Field Description Example
app The application or service name Win32Time
dest The destination host for the network service. Accepts a wildcard. DARTH*, 10.10.1.100, my_host, etc. Using just a wildcard * will match all hosts.
dest_pci_domain An optional PCI domain. Accepts a wildcard. trust, untrust, etc.
dest_port The destination port number. Accepts a wildcard. 443, 3389, 5900, etc.
transport The transport protocol. Accepts a wildcard. tcp or udp
is_required Is the service required to be running? Alert if not present. true or false
is_prohibited Is the service/traffic/port prohibited from running? Alert if present. true or false
is_secure Is the service traffic encrypted? true or false
note A brief description of the service and use-case Unencrypted telnet services are insecure .. I will look for you, I will find you, and I will kill you.

Add to, or modify this list using the editor. Click Save when you are done.

  • Use a search to review the user and time the lookup file was edited. Example: index=_internal uri_path="/splunk-es/en-US/app/SplunkEnterpriseSecuritySuite/ess_lookups_edit"
  • A lookup will not accept regular expressions.

Interesting Processes

Interesting Processes contains a list of processes. This list is used to determine whether a process is required, prohibited, and/or secure. Use the List and Lookup editor to modify or add to this list. The Interesting Processes file can be found in the following location on the search head:

$SPLUNK_HOME/etc/apps/SA-EndpointProtection/lookups/interesting_processes.csv

The following table shows the fields in this file:

Column Description
app application name
dest destination of process
dest_pci_domain PCI domain, if available
is_required true or false
is_prohibited true or false
is_secure true or false
note Any additional information about this process

Interesting Services

Interesting Services contains a list of services in your deployment. This list is used to determine whether a service is required, prohibited, and/or secure. Use the List and Lookup editor to modify or add to this list. The Interesting Services file can be found in the following location on the search head:

$SPLUNK_HOME/etc/apps/SA-EndpointProtection/lookups/interesting_services.csv

The following table shows the fields in this file:

Column Description
app application name
dest destination of process
dest_pci_domain PCI domain, if available
is_required true or false
is_prohibited true or false
is_secure true or false
note Any additional information about this process

Primary Functions

Primary Functions contains a list of primary processes and services, and their function in your deployment. Use this list to designate which services are primary and the port and transport to use. The Primary Functions file can be found in the following location on the search head:

$SPLUNK_HOME/etc/apps/SA-EndpointProtection/lookups/primary_functions.csv

The following table shows the fields in this file:

Column Description
process name of process
service name of service
dest_pci_domain PCI domain, if available
transport tcp or udp
port port number
is_primary true or false
function function of this process (for example, Proxy, Authentication, Database, Domain Name Service (DNS), Web, Mail)

Prohibited Traffic

Prohibited Traffic lists processes that will generate an alert if they are detected. This list is used by the System Center dashboard and is useful for detecting software that has been prohibited by the security policy (such as IRC or data destruction tools) or for software that is known to be malicious (such as malware that was recently implicated in an outbreak).

The Prohibited Traffic file can be found in the following location on the search head:

$SPLUNK_HOME/etc/apps/SA-NetworkProtection/lookups/prohibited_traffic.csv

The following table shows the fields in this file:

Field Description
app The name of the process (such as echo, chargen, etc.)
is_prohibited Either "true" or "false"
note A text description of why the process is rejected

Urgency Levels

Urgency Levels contains the combinations of priority and severity that dictate the urgency of notable events. For more information, see Notable Event Urgency assignment in this manual.

Last modified on 01 May, 2017
Content Management   Dashboard Troubleshooting

This documentation applies to the following versions of Splunk® Enterprise Security: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters