Splunk® Enterprise Security

Administer Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Manage internal lookups in Splunk Enterprise Security

Splunk Enterprise Security provides and maintains internal lookups to support dashboards, searches, and other internal processes.

These lookups are created in several ways.

  • Populated by a static lookup table
  • Populated internally by search commands, called a search-driven lookup
  • Populated with information from the Internet

The internal lookups populated with information from the Internet are used by some correlation searches to identify hosts that are recognized as malicious or suspicious according to various online sources, such as the SANS Institute. If Splunk Enterprise Security is not connected to the Internet, these lookup files are not updated and the correlation searches that rely on the lookups might not function correctly. Most of the internal lookups populated by the Internet are threat intelligence sources. See Configure the threat intelligence sources included with Splunk Enterprise Security in this manual.

Select Configure > Content > Content Management to view the existing lookups that you can edit in Splunk Enterprise Security.

Splunk Enterprise Security uses the internal lookups in different ways.

Lookup type Description Example
List Small, relatively static lists used to enrich dashboards. Categories
Asset or identity list Maintained by a modular input and searches. See How Splunk Enterprise Security processes and merges asset and identity data. Assets
Threat intelligence collections Maintained by several modular inputs. See Threat intelligence framework in Splunk ES on the Splunk developer portal. Local Certificate Intel
Tracker Search-driven lookups used to supply data to dashboard panels. Malware Tracker
Per-panel filter lookup Used to maintain a list of per-panel filters on specific dashboards. HTTP Category Analysis Filter

Internal lookups that you can modify

Some lookups are managed by searches (search-driven lookups), and others you update manually. This table lists the lookups that you might need to modify in Splunk Enterprise Security.

Lookup name Type Description Usage details
Action History Search Tracking Allowlist List Add searches to this allowlist to prevent them from creating action history items for investigations. Type a start_time of 1 to allowlist the search. Type a start_time and an end_time to allowlist the search for a specific period of time.
Administrative Identities List You can use this lookup to identify privileged or administrative identities on relevant dashboards such as the Access Center and Account Management dashboards. Modify the category column to indicate the privileged status of an account. Specify privileged default accounts with default|privileged, or type privileged for privileged accounts that are not default accounts, or default for default accounts that are not privileged.
Application Protocols List Used by the Port and Protocol dashboard. See Application Protocols.
Asset/Identity Categories List You can use this to set up categories to use to organize an asset or identity. Common categories for assets include compliance and security standards such as PCI or functional categories such as server and web_farm. Common categories for identities include titles and roles. See Asset/Identity Categories.
Assets Asset list You can manually add assets in your environment to this lookup to be included in the asset lookups used for asset correlation. See Manually add static asset or identity data.
Demonstration Assets Asset list Provides sample asset data for demonstrations or examples. Turn off the lookup for use in production environments. See Turn off the demo asset and identity lookups.
Demonstration Identities Identity list Provides sample identity data for demonstrations or examples. Turn off the lookup for use in production environments. See Turn off the demo asset and identity lookups.
ES Configuration Health Filter Per-panel filter lookup Per-panel filtering for the ES Configuration Health dashboard. See Configure per-panel filtering in Splunk Enterprise Security.
Expected Views List Lists Enterprise Security views for analysts to monitor regularly. See Expected Views.
HTTP Category Analysis Filter Per-panel filter lookup Per-panel filtering for the HTTP Category Analysis dashboard See Configure per-panel filtering in Splunk Enterprise Security.
HTTP User Agent Analysis Per-panel filter lookup Per-panel filtering for the HTTP User Agent Analysis dashboard See Configure per-panel filtering in Splunk Enterprise Security.
Identities Identity list You can manually edit this lookup to add identities to the identity lookup used for identity correlation. See Manually add static asset or identity data.
IIN and LUHN Lookup List Static list of Issuer Identification Numbers (IIN) used to identify likely credit card numbers in event data.

Outputting credit card numbers in your log data is risky. Therefore, credit card numbers from the correlation search, such as Personally Identifiable Information Detected are used to detect Personally-Identifiable Information (PII) in your events and authenticate them. The correlation search extracts the integer sequence of the credit card number, such as 4111 1111 1111 1111 from the log and pipes it to the luhn_lite_lookup. The luhn_lite_lookup uses the LUHN algorithm to validate the numbers and displays the following values: pii:4111 1111 1111 1111 and pii_clean:4111111111111111. These values are sent to the iin_lookup, which is a pre-defined lookup that outputs the value: iin_issuer:<Credit_card_issuer>, which matches the value of pii_clean.

Interesting Ports List Used by correlation searches to identify ports that are relevant to your network security policy. See Interesting Ports.
Interesting Processes List Used by a correlation search to identify processes running on hosts relevant to your security policy. See Interesting Processes.
Interesting Services List Used by a correlation search to identify services running on hosts relevant to your security policy. See Interesting Services.
Local * Intel Threat intelligence lookup Used to manually add threat intelligence. See Add and maintain threat intelligence locally in Splunk Enterprise Security.
Modular Action Categories List Used to categorize the types of adaptive response actions available to select. Add a custom category to categorize a custom adaptive response action on Incident Review or the correlation search editor.
New Domain Analysis Per-panel filter lookup Per-panel filtering for the New Domain Analysis dashboard. See Configure per-panel filtering in Splunk Enterprise Security.
PCI Domain Lookup Identity list Used by the Splunk App for PCI Compliance to enrich the pci_domain field. Contains the PCI domains relevant to the PCI standard. See Set up asset categories.
Primary Functions List Identifies the primary process or service running on a host. Used by a correlation search. See Primary Functions.
Prohibited Traffic List Identifies process and service traffic prohibited in your environment. Used by a correlation search. See Prohibited Traffic.
Risk Object Types List The types of risk objects available. Edit the lookup to create a custom risk object type. You can then filter on the new risk object type or add a new risk entry on the Risk Analysis dashboard. See Create risk and edit risk objects in Splunk Enterprise Security.
Security Domains List Lists the security domains that you can use to categorize notable events when created and on Incident Review. Edit the lookup and add a custom security domain.
Threat Activity Filter Per-panel filter lookup Per-panel filtering for the Threat Activity dashboard. See Configure per-panel filtering in Splunk Enterprise Security.
Traffic Size Analysis Per-panel filter lookup Per-panel filtering for the Traffic Size Analysis dashboard. See Configure per-panel filtering in Splunk Enterprise Security.
Urgency Levels List Urgency Levels contains the combinations of priority and severity that dictate the urgency of notable events. See How urgency is assigned to notable events in Splunk Enterprise Security in Use Splunk Enterprise Security.
URL Length Analysis Per-panel filter lookup Per-panel filtering for the URL Length Analysis dashboard. See Configure per-panel filtering in Splunk Enterprise Security.

Application Protocols

The Application Protocols list is a list of port and protocol combinations and their approval status in your organization. This list is used by the Port & Protocol Tracker dashboard. See Port & Protocol Tracker dashboard.

The following fields are available in this file.

Field Description
dest_port The destination port number. Must be a number from 0 to 65535.
transport The protocol of the network traffic. For example, icmp, tcp, or udp.
app The name of the application using the port.

Asset/Identity Categories

The category list can contain any set of categories you choose for organizing an asset or an identity. A category is logical classification or grouping used for assets and identities. Common choices for assets include compliance and security standards such as PCI, or functional categories such as server and web_farm. Common choices for identities include titles and roles. For more examples, see Format an asset or identity list as a lookup in Splunk Enterprise Security.

To enrich events with category information in asset and identity correlation, you must maintain the category field in the asset and identity lists instead of in the Asset/Identity Categories list. See Format an asset or identity list as a lookup in Splunk Enterprise Security.

There are two ways to maintain the Asset/Identity Categories list.

Run a saved search to maintain a list of categories

Splunk Enterprise Security includes a saved search that takes categories defined in the asset and identity lists and adds them to the Asset/Identity Categories list. The search is not scheduled by default.

  1. From the Splunk platform menu bar, select Settings > Searches, reports, alerts.
  2. Locate the Identity - Make Categories - Lookup Gen search-driven lookup or lookup generating search.
  3. Click Edit > Activate / Turn on.

Manually maintain a list of categories

Maintain the Categories list manually by adding categories to the lookup directly. By default, you must maintain the list manually.

  1. Select Configure > Content > Content Management.
  2. Click the Asset/Identity Categories list.
  3. Add new categories to the list.
  4. Click Save.

Expected Views

The Expected Views list specifies Splunk Enterprise Security views that are monitored on a regular basis. The View Audit dashboard uses this lookup. See View Audit for more about the dashboard.

You can add views that you would expect analysts or users to monitor daily, and then you can audit to verify that they are.

  1. Select Configure > Content > Content Management.
  2. Search for Expected Views lookup.
  3. Fill in the fields.
  4. Click Save.

The following table describes the fields in this file.

Field Description
app The application that contains the view. This is usually set to SplunkEnterpriseSecuritySuite.
is_expected Either "true" or "false". If not specified, Splunk Enterprise Security assumes by default that the view is not expected to be monitored.
view The name of the view. Available in the URL or on the Content Management dashboard.

To find the name of a view:

  1. Navigate to the view in Enterprise Security.
  2. Look at the last segment of the URL to find the view name.

For example, the view in the following URL below is named incident_review:

https://127.0.0.1:8000/en-US/app/SplunkEnterpriseSecuritySuite/incident_review

Interesting Ports

Interesting Ports contains a list of TCP and UDP ports determined to be required, prohibited, or insecure in your deployment. Administrators can set a policy defining the allowed and disallowed ports and modify the lookup to match that policy. To get alerts when those ports are seen in your environment, turn on the correlation search that triggers an alert for those ports, such as Prohibited Port Activity Detected.

The following table describes the fields in this file.

Field Description Example
app The application or service name using the port. Win32Time
dest The destination host for the network service. Use a wildcard * to match all hosts. DARTH*, 10.10.1.100, my_host.
dest_pci_domain An optional PCI domain. Accepts a wildcard. trust, untrust
dest_port The destination port number. Accepts a wildcard. 443, 3389, 5900
transport The transport protocol. Accepts a wildcard. tcp or udp
is_required If you require the service to be running, and want the correlation search to create an alert if it is not running, set to true. true or false
is_prohibited If you do not want the port to be used in your network, and want the correlation search to create an alert if it is in use, set to true. true or false
is_secure If the traffic sent through the port is secure, set to true. true or false
note Describe the service using the port and the explanation for the port policy. Unencrypted telnet services are insecure.

Interesting Processes

Interesting Processes contains a list of processes and whether you consider the processes required, prohibited, or secure to be running in your environment. Splunk Enterprise Security uses this list in the Prohibited Process Detected correlation search.

The following table describes the fields in this file.

Field Description
app Application name
dest Destination of the process
dest_pci_domain PCI domain, if available
is_required If the process is required to be running on the destination host, set to true. Possible values are true or false.
is_prohibited If the process is prohibited on the destination host, set to true. Possible values are true or false.
is_secure If the process is secure, set to true. Possible values are true or false.
note Describe any additional information about this process. For example, The telnet application is prohibited due to insecure authentication.

Interesting Services

Interesting Services contains a list of services in your deployment. The correlation search Prohibited Service Detected uses this lookup to determine whether a service is required, prohibited, and/or secure.

The following table describes the fields in this file.

Field Description
app Application name
dest Destination host that the service is running on.
dest_pci_domain PCI domain of the host, if available
is_required If the service is required to be running on the host, set to true. Possible values are true or false.
is_prohibited If the service is prohibited from running on the host, set to true. Possible values are true or false.
is_secure If the service is secure, set to true. Possible values are true or false.
note Any additional information about this service.

Primary Functions

Primary Functions contains a list of primary processes and services and their function in your deployment. Use this list to define which services are primary and the port and transport to be used by the services. This lookup is used by the Multiple Primary Functions Detected correlation search.

The following table describes the fields in this file.

Field Description
process Name of the process
service Name of the service
dest_pci_domain PCI domain of the destination host, if available
transport Protocol used for transport by the process. Possible values are tcp or udp.
port The port number used by the process.
is_primary If the process is the primary process on the host, set to true. Possible values are true or false.
function The function that the process performs. For example, proxy, authentication, database, Domain Name Service (DNS), web, or mail.

Prohibited Traffic

Prohibited Traffic lists processes that, if seen in your network traffic, could indicate malicious behavior. This list is used by the System Center dashboard and is useful for detecting software that is prohibited by your security policy, such as IRC, data destruction tools, file transfer software, or known malicious software, such as malware that was recently implicated in an outbreak.

The following table describes the fields in this file.

Field Description
app The name of the process (such as echo, chargen, etc.)
is_prohibited If the process is prohibited in your environment, set to true. Possible values are true or false.
note Add a description about why the process is prohibited.
Last modified on 11 August, 2023
Create and manage lookups in Splunk Enterprise Security   Create risk and edit risk objects in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters