Manage internal lookups in Splunk Enterprise Security
Splunk Enterprise Security provides and maintains internal lookups to support dashboards, searches, and other internal processes.
These lookups are created in several ways.
- Populated by a static lookup table
- Populated internally by search commands, called a search-driven lookup
- Populated with information from the Internet
The internal lookups populated with information from the Internet are used by some correlation searches to identify hosts that are recognized as malicious or suspicious according to various online sources, such as the SANS Institute. If Splunk Enterprise Security is not connected to the Internet, these lookup files are not updated and the correlation searches that rely on the lookups might not function correctly. Most of the internal lookups populated by the Internet are threat intelligence sources. See Configure the threat intelligence sources included with Splunk Enterprise Security in this manual.
Select Configure > Content Management to view the existing lookups that you can edit in Splunk Enterprise Security.
Splunk Enterprise Security uses the internal lookups in different ways.
Lookup type | Description | Example |
---|---|---|
List | Small, relatively static lists used to enrich dashboards. | Categories |
Asset or identity list | Maintained by a modular input and searches. See How Splunk Enterprise Security processes and merges asset and identity data. | Assets |
Threat intelligence collections | Maintained by several modular inputs. See Threat intelligence framework in Splunk ES on the Splunk developer portal. | Local Certificate Intel |
Tracker | Search-driven lookups used to supply data to dashboard panels. | Malware Tracker |
Per-panel filter lookup | Used to maintain a list of per-panel filters on specific dashboards. | HTTP Category Analysis Filter |
Internal lookups that you can modify
Some lookups are managed by searches (search-driven lookups), and others you update manually. This table lists the lookups that you might need to modify in Splunk Enterprise Security.
Lookup name | Type | Description | Usage details |
---|---|---|---|
Action History Search Tracking Whitelist | List | Add searches to this whitelist to prevent them from creating action history items for investigations. | Type a start_time of 1 to whitelist the search. Type a start_time and an end_time to whitelist the search for a specific period of time. |
Administrative Identities | List | You can use this lookup to identify privileged or administrative identities on relevant dashboards such as the Access Center and Account Management dashboards. | Modify the category column to indicate the privileged status of an account. Specify privileged default accounts with default|privileged , or type privileged for privileged accounts that are not default accounts, or default for default accounts that are not privileged.
|
Application Protocols | List | Used by the Port and Protocol dashboard. | See Application Protocols. |
Asset/Identity Categories | List | You can use this to set up categories to use to organize an asset or identity. Common categories for assets include compliance and security standards such as PCI or functional categories such as server and web_farm. Common categories for identities include titles and roles. | See Asset/Identity Categories. |
Assets | Asset list | You can manually add assets in your environment to this lookup to be included in the asset lookups used for asset correlation. | See Manually add new asset or identity data. |
Demonstration Assets | Asset list | Provides sample asset data for demonstrations or examples. | Disable the lookup for use in production environments. See Disable the demo asset and identity lookups. |
Demonstration Identities | Identity list | Provides sample identity data for demonstrations or examples. | Disable the lookup for use in production environments. See Disable the demo asset and identity lookups. |
ES Configuration Health Filter | Per-panel filter lookup | Per-panel filtering for the ES Configuration Health dashboard. | See Configure per-panel filtering in Splunk Enterprise Security. |
Expected Views | List | Lists Enterprise Security views for analysts to monitor regularly. | See Expected Views. |
HTTP Category Analysis Filter | Per-panel filter lookup | Per-panel filtering for the HTTP Category Analysis dashboard | See Configure per-panel filtering in Splunk Enterprise Security. |
HTTP User Agent Analysis | Per-panel filter lookup | Per-panel filtering for the HTTP User Agent Analysis dashboard | See Configure per-panel filtering in Splunk Enterprise Security. |
Identities | Identity list | You can manually edit this lookup to add identities to the identity lookup used for identity correlation. | See Manually add new asset or identity data. |
IIN Lookup | List | Static list of Issuer Identification Numbers (IIN) used to identify likely credit card numbers in event data. | Used to detect Personally-Identifiable Information (PII) in your events. |
Interesting Ports | List | Used by correlation searches to identify ports that are relevant to your network security policy. | See Interesting Ports. |
Interesting Processes | List | Used by a correlation search to identify processes running on hosts relevant to your security policy. | See Interesting Processes. |
Interesting Services | List | Used by a correlation search to identify services running on hosts relevant to your security policy. | See Interesting Services. |
Local * Intel | Threat intelligence lookup | Used to manually add threat intelligence. | See Add and maintain threat intelligence locally in Splunk Enterprise Security. |
Modular Action Categories | List | Used to categorize the types of adaptive response actions available to select. | Add a custom category to categorize a custom adaptive response action on Incident Review or the correlation search editor. |
New Domain Analysis | Per-panel filter lookup | Per-panel filtering for the New Domain Analysis dashboard. | See Configure per-panel filtering in Splunk Enterprise Security. |
PCI Domain Lookup | Identity list | Used by the Splunk App for PCI Compliance to enrich the pci_domain field. Contains the PCI domains relevant to the PCI standard. |
See Set up asset categories. |
Primary Functions | List | Identifies the primary process or service running on a host. Used by a correlation search. | See Primary Functions. |
Prohibited Traffic | List | Identifies process and service traffic prohibited in your environment. Used by a correlation search. | See Prohibited Traffic. |
Risk Object Types | List | The types of risk objects available. | Edit the lookup to create a custom risk object type. You can then filter on the new risk object type or add a new risk entry on the Risk Analysis dashboard. See Create risk and edit risk objects in Splunk Enterprise Security. |
Security Domains | List | Lists the security domains that you can use to categorize notable events when created and on Incident Review. | Edit the lookup and add a custom security domain. |
Threat Activity Filter | Per-panel filter lookup | Per-panel filtering for the Threat Activity dashboard. | See Configure per-panel filtering in Splunk Enterprise Security. |
Traffic Size Analysis | Per-panel filter lookup | Per-panel filtering for the Traffic Size Analysis dashboard. | See Configure per-panel filtering in Splunk Enterprise Security. |
Urgency Levels | List | Urgency Levels contains the combinations of priority and severity that dictate the urgency of notable events. | See How urgency is assigned to notable events in Splunk Enterprise Security in Use Splunk Enterprise Security. |
URL Length Analysis | Per-panel filter lookup | Per-panel filtering for the URL Length Analysis dashboard. | See Configure per-panel filtering in Splunk Enterprise Security. |
Application Protocols
The Application Protocols list is a list of port and protocol combinations and their approval status in your organization. This list is used by the Port & Protocol Tracker dashboard. See Port & Protocol Tracker dashboard.
The following fields are available in this file.
Field | Description |
---|---|
dest_port
|
The destination port number. Must be a number from 0 to 65535. |
transport
|
The protocol of the network traffic. For example, icmp, tcp, or udp. |
app
|
The name of the application using the port. |
Asset/Identity Categories
The category list can contain any set of categories you choose for organizing an asset or an identity. A category is logical classification or grouping used for assets and identities. Common choices for assets include compliance and security standards such as PCI, or functional categories such as server and web_farm. Common choices for identities include titles and roles. For more examples, see Format an asset or identity list as a lookup in Splunk Enterprise Security.
To enrich events with category information in asset and identity correlation, you must maintain the category
field in the asset and identity lists instead of in the Asset/Identity Categories list. See Format an asset or identity list as a lookup in Splunk Enterprise Security.
There are two ways to maintain the Asset/Identity Categories list.
Run a saved search to maintain a list of categories
Splunk Enterprise Security includes a saved search that takes categories defined in the asset and identity lists and adds them to the Asset/Identity Categories list. The search is not scheduled by default.
- From the Splunk platform menu bar, select Settings > Searches, reports, alerts.
- Locate the
Identity - Make Categories - Lookup Gen
saved search. - Click Edit > Enable.
Manually maintain a list of categories
Maintain the Categories list manually by adding categories to the lookup directly. By default, you must maintain the list manually.
- Select Configure >Content Management.
- Click the Asset/Identity Categories list.
- Add new categories to the list.
- Click Save.
Expected Views
The Expected Views list specifies Splunk Enterprise Security views that are monitored on a regular basis. The View Audit dashboard uses this lookup. See View Audit for more about the dashboard.
The following table describes the fields in this file.
Field | Description |
---|---|
app
|
The application that contains the view. This is usually set to SplunkEnterpriseSecuritySuite. |
is_expected
|
Either "true" or "false". If not specified, Splunk Enterprise Security assumes by default that the view is not expected to be monitored. |
view
|
The name of the view. Available in the URL or on the Content Management dashboard. |
To find the name of a view:
- Navigate to the view in Enterprise Security.
- Look at the last segment of the URL to find the view name.
For example, the view in the following URL below is named incident_review
:
https://127.0.0.1:8000/en-US/app/SplunkEnterpriseSecuritySuite/incident_review
Interesting Ports
Interesting Ports contains a list of TCP and UDP ports determined to be required, prohibited, or insecure in your deployment. Administrators can set a policy defining the allowed and disallowed ports and modify the lookup to match that policy. To get alerts when those ports are seen in your environment, enable the correlation search that triggers an alert for those ports, such as Prohibited Port Activity Detected.
The following table describes the fields in this file.
Field | Description | Example |
---|---|---|
app
|
The application or service name using the port. | Win32Time |
dest
|
The destination host for the network service. Use a wildcard * to match all hosts.
|
DARTH*, 10.10.1.100, my_host. |
dest_pci_domain
|
An optional PCI domain. Accepts a wildcard. | trust, untrust |
dest_port
|
The destination port number. Accepts a wildcard. | 443, 3389, 5900 |
transport
|
The transport protocol. Accepts a wildcard. | tcp or udp |
is_required
|
If you require the service to be running, and want the correlation search to create an alert if it is not running, set to true. | true or false |
is_prohibited
|
If you do not want the port to be used in your network, and want the correlation search to create an alert if it is in use, set to true. | true or false |
is_secure
|
If the traffic sent through the port is secure, set to true. | true or false |
note
|
Describe the service using the port and the explanation for the port policy. | Unencrypted telnet services are insecure. |
Interesting Processes
Interesting Processes contains a list of processes and whether you consider the processes required, prohibited, or secure to be running in your environment. Splunk Enterprise Security uses this list in the Prohibited Process Detected correlation search.
The following table describes the fields in this file.
Field | Description |
---|---|
app
|
Application name |
dest
|
Destination of the process |
dest_pci_domain
|
PCI domain, if available |
is_required
|
If the process is required to be running on the destination host, set to true. Possible values are true or false. |
is_prohibited
|
If the process is prohibited on the destination host, set to true. Possible values are true or false. |
is_secure
|
If the process is secure, set to true. Possible values are true or false. |
note
|
Describe any additional information about this process. For example, The telnet application is prohibited due to insecure authentication. |
Interesting Services
Interesting Services contains a list of services in your deployment. The correlation search Prohibited Service Detected uses this lookup to determine whether a service is required, prohibited, and/or secure.
The following table describes the fields in this file.
Field | Description |
---|---|
app
|
Application name |
dest
|
Destination host that the service is running on. |
dest_pci_domain
|
PCI domain of the host, if available |
is_required
|
If the service is required to be running on the host, set to true. Possible values are true or false. |
is_prohibited
|
If the service is prohibited from running on the host, set to true. Possible values are true or false. |
is_secure
|
If the service is secure, set to true. Possible values are true or false. |
note
|
Any additional information about this service. |
Primary Functions
Primary Functions contains a list of primary processes and services and their function in your deployment. Use this list to define which services are primary and the port and transport to be used by the services. This lookup is used by the Multiple Primary Functions Detected correlation search.
The following table describes the fields in this file.
Field | Description |
---|---|
process
|
Name of the process |
service
|
Name of the service |
dest_pci_domain
|
PCI domain of the destination host, if available |
transport
|
Protocol used for transport by the process. Possible values are tcp or udp. |
port
|
The port number used by the process. |
is_primary
|
If the process is the primary process on the host, set to true. Possible values are true or false. |
function
|
The function that the process performs. For example, proxy, authentication, database, Domain Name Service (DNS), web, or mail. |
Prohibited Traffic
Prohibited Traffic lists processes that, if seen in your network traffic, could indicate malicious behavior. This list is used by the System Center dashboard and is useful for detecting software that is prohibited by your security policy, such as IRC, data destruction tools, file transfer software, or known malicious software, such as malware that was recently implicated in an outbreak.
The following table describes the fields in this file.
Field | Description |
---|---|
app
|
The name of the process (such as echo, chargen, etc.) |
is_prohibited
|
If the process is prohibited in your environment, set to true. Possible values are true or false. |
note
|
Add a description about why the process is prohibited. |
Create and manage lookups in Splunk Enterprise Security | Create risk and edit risk objects in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.0, 5.0.1, 5.1.0, 5.1.1
Feedback submitted, thanks!