Splunk® Enterprise Security

Administer Splunk Enterprise Security

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Enable entity zones for assets and identities in

Entity zones are disabled for assets and identities by default. You can enable entity zones in situations when you have mergers or acquisitions with other companies, for example, and you have similar IP address spaces that you need to keep separate.

Prerequisites

Perform the following prerequisite tasks before starting on these settings:

  1. Collect and extract asset and identity data in .
  2. Format the asset or identity list as a lookup in .
  3. Configure a new asset or identity list in .

Enable entity zones

Enable entity zones in the global settings as follows:

  1. From the menu bar, select Configure > Data Enrichment > Asset and Identity Management.
  2. Click the Global Settings tab.
  3. Scroll to the Enable Zones for Assets or Identities panel.
  4. Use the toggle to enable for Assets or Identities.
  5. Type a lowercase word to use as a default zone name. This word auto-populates in the cim_entity_zone fields if you do not specify your own values when formatting an asset or identity list as a lookup.
  6. (Optional) Click Configure Zones to build a clause and specify a condition.
    1. In the Condition field, type a conditional statement that will evaluate to either true or false. The condition defines a raw event value to match against, such as: dest = "192.0.2.1", src = "host1", location = "San Jose", and so on.
      1. If the condition is not matched, the default zone name auto-populates in the cim_entity_zone.
      2. If the condition is matched, such as city = "San Jose", the zone that you configure in the next step will auto-populate in the cim_entity_zone field with the value for this zone.
    2. In the Zone field, type the name of a zone to assign when the match is made.
    3. Click +Add Clause to add additional clauses.
    4. Click x to delete clauses.
    5. Click Confirm to save the clauses.
    6. Click Save.

Any events that do not have a specified cim_entity_zone, or do not match any clauses, are assigned the default zone.

In situations where you have a default value specified for your known entities, a default cim_entity_zone value is not assigned if a similar event occurs from an unknown entity.

Disable entity zones for Assets and Identities

Disable entity zones in the global settings as follows:

  1. From the menu bar, select Configure > Data Enrichment > Asset and Identity Management.
  2. Click the Global Settings tab.
  3. Scroll to the Enable Zones for Assets or Identities panel.
  4. Use the toggle to disable for Assets or Identities. Any previously existing default zone is disabled, not deleted.
  5. Click Save.

See Format an asset or identity list as a lookup in .

Example

Using assets as an example, consider a default zone name of my_zone and a source file with the same ip of 10.0.2.109, nt_host of host1 and host2 in different zones, a cim_entity_zone defined as an asset lookup header, and one empty cim_entity_zone value such as the following: ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av,cim_entity_zone
192.0.2.94,,host1,,,,,,,,,,,,,,,
192.0.2.155,,host1,,,,,,,,,,,,,,,zone2
192.0.2.90,,host2,,,,,,,,,,,,,,,zone1
192.0.2.39,,host2,,,,,,,,,,,,,,,zone1
10.0.2.109,,host2,,,,,,,,,,,,,,,zone1
10.0.2.109,,host3,,,,,,,,,,,,,,,zone3
10.0.2.109,,host4,,,,,,,,,,,,,,,zone3

If you enable entity zones, the behavior is to use the default zone name for the empty cim_entity_zone value and not to merge key fields such as ip and nt_host that are in different zones.

cim_entity_zone asset ip nt_host pci_domain
my_zone

192.0.2.94
host1

192.0.2.94 host1 untrust
zone2

192.0.2.155
host1

192.0.2.155 host1 untrust
zone1

192.0.2.90
192.0.2.39
10.0.2.109
host2

192.0.2.90
192.0.2.39
10.0.2.109

host2 untrust
zone3

10.0.2.109
host3
host4

10.0.2.109

host3
host4

untrust

If you disable entity zones, the behavior is to merge key fields such as ip and nt_host as usual.

asset ip nt_host pci_domain
192.0.2.94

192.0.2.155
host1

192.0.2.94
192.0.2.155

host1 untrust
192.0.2.90

192.0.2.39
10.0.2.109
host2
host3
host4

192.0.2.90

192.0.2.39
10.0.2.109

host2

host3
host4

untrust
Last modified on 21 May, 2021
PREVIOUS
Disable merge for assets and identities in
  NEXT
Ignore values for assets and identities in

This documentation applies to the following versions of Splunk® Enterprise Security: 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters