Splunk® Enterprise Security

Administer Splunk Enterprise Security

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Manage asset lookup configuration policies in Splunk Enterprise Security

Create an asset lookup configuration policy to update and enrich your assets. The asset lookup configuration settings create the policy that updates the inputs.conf file to point to a lookup and update your assets. When you add new items or update current items, the change takes effect in 5 minutes.

Prerequisites

Perform the following prerequisite tasks before starting on these settings:

  1. Collect and extract asset and identity data in Splunk Enterprise Security.
  2. Format the asset or identity list as a lookup in Splunk Enterprise Security.
  3. Configure a new asset or identity list in Splunk Enterprise Security.

Add an asset input stanza for the lookup source

To add a new asset input source, complete the following steps:

  1. From the Splunk Enterprise Security menu bar, select Configure > Data Enrichment > Asset and Identity Management.
  2. Click the Asset Lookup Configuration tab.
  3. Click New.
  4. In the New Asset Manager, do the following:
    1. Select the transforms.conf definition from the Source drop-down list that corresponds to the CSV source file of assets you uploaded in the prerequisite step.
    2. You can provide a name for the asset list stanza, but matching the source file name is a good idea.
    3. Enter a descriptive category for this asset list, such as web_servers or west_coast_servers.
    4. Enter a detailed description of the contents of this asset list.
    5. Check the Blacklist check box to exclude the lookup file from bundle replication.

      The asset and identity source lookup files are excluded from bundle replication in an indexer cluster by default. The merged lookup files are still included in bundle replication to support asset and identity correlation. Changing the default to include asset and identity lookup files in bundle replication might reduce system performance. See Knowledge bundle replication overview in the Splunk Enterprise Distributed Search manual.

    6. In Lookup List Type, asset is selected for you.
    7. In Lookup Field Exclusion List, select fields for the merge process to ignore. This excludes the fields and those values from the KV store collections for that particular lookup. You might use this in the case where you have a field in your source file that you don't want to rely on for information.
    8. Click Save.

Rank the order for merging assets

Any new asset list gets added to the bottom of the list by default. You can rank the order of this list to determine priority for merging assets. If an asset exists in multiple source files as a single value or exists multiple times in the same source file, this ranking is the weighted order for merging them. By default, the single value asset fields are as follows:

  • is_expected
  • priority
  • requires_av
  • should_timesync
  • should_update

These are the fields where the rank takes effect. For example, If you're merging two assets and they both have the is_expected field value, you need to choose one to take precedence. The row at the top of the list takes precedence and the merge process uses that value, as opposed to the row that's ranked second.

To change the rank, do the following from the Asset Lookup Configuration tab:

  1. Drag and drop the rows of the table into a new order.
  2. When finished reordering, click Save Ranking.

Ranking is not considered for a multivalue field field. The merge process combines all the values into the field, and then removes the duplicates.

Key fields are dns, ip, mac, and nt_host. If you store extra information in your key fields, such as the same IP address assigned to multiple systems, these duplicate IP addresses are now merged together as one asset. Make sure that the information in your key fields either belongs to the same asset or does not overlap.

Disable or enable asset lookups

You can disable or enable an asset lookup input. Disabling an input does not delete the data from the associated lookup from Splunk Enterprise Security. Disabling prevents the contents of the corresponding list from being included in the merge process. Enabling a disabled input allows the associated list to be merged at the next scheduled merge of the asset or identity data.

To disable an asset lookup, do the following from the Asset Lookup Configuration tab:

  1. Navigate to the Status column.
  2. Do one of the following options:
    • Click Disable to disable an input.
    • Click Enable to enable a disabled input.

Starting with version 5.0.0, asset and identity lookup inputs are disabled by default after a new installation. However, local settings are respected after an upgrade.

Modify asset lookups

Make changes to the asset lookups in Splunk Enterprise Security to add new assets or change existing values in the lookup tables. You can also disable or enable existing lookups.

  1. In Enterprise Security, select Configure > Data Enrichment > Asset and Identity Management.
  2. Find the name of the asset or identity list you want to edit, and select the corresponding lookup from the Source column. The list opens in an interactive editor.
  3. Use the scroll bars to view the columns and rows in the table. Double-click a cell to add, change, or remove content.
  4. Click Save when you are finished.

Manually add static asset data

Manually add new static asset data to Splunk Enterprise Security by editing the Assets lookups. For example, add internal subnets, IP addresses to be whitelisted, and other static asset and identity data.

  1. From the Splunk Enterprise Security menu bar, select Configure > Content > Content Management.
  2. To add asset data, click the Assets lookup to edit it.
  3. Use the scroll bars to view the columns and rows in the table. Double-click in a cell to add, change, or remove content.
  4. Save your changes.

Then you can see the lookup registered as static_assets or static_identities or in Configure > Data Enrichment > Asset and Identity Management.

Disable the demo asset lookups

The demo asset lookups are disabled by default. Enable them if needed for testing. Disable the demo asset lookups to prevent the demo data from being added to the primary asset and identity lookups used by Splunk Enterprise Security for asset and identity correlation.

  1. In Enterprise Security, select Configure > Data Enrichment > Asset and Identity Management.
  2. Locate the demo_assets lookups.
  3. Click Disable.
Last modified on 30 July, 2020
PREVIOUS
Manage global settings for assets and identities in Splunk Enterprise Security
  NEXT
Manage asset field settings in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 6.3.0 Cloud only, 6.4.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters