Manage asset lookup configuration policies in Splunk Enterprise Security
Create an asset lookup configuration policy to update and enrich your assets. The asset lookup configuration settings create the policy that updates the inputs.conf file to point to a lookup and update your assets. When you add new items or update current items, the change takes effect in 5 minutes.
Prerequisites
Perform the following prerequisite tasks before starting on these settings:
- Collect and extract asset and identity data in Splunk Enterprise Security.
- Format an asset or identity list as a lookup in Splunk Enterprise Security.
- Configure a new asset or identity list in Splunk Enterprise Security.
Add an asset input stanza for the lookup source
To add a new asset input source, complete the following steps:
- From the Splunk Enterprise Security menu bar, select Configure, then Datasets, then Assets and identities.
- Select the Asset lookups tab.
- Select New.
- In the New Asset Manager, do the following:
- Select the lookup source from the Source drop-down list that corresponds to the CSV source file of assets you uploaded in the prerequisite step. Do not not select a default lookup to onboard custom data, such as asset_lookup_default_fields, as this will cause problems.
- You can provide a name for the asset list stanza, but matching the source file name is a good idea.
- Enter a descriptive category for this asset list, such as web_servers or west_coast_servers.
- Enter a detailed description of the contents of this asset list.
- Check the Denylist check box to exclude the lookup file from bundle replication.
The asset and identity source lookup files are excluded from bundle replication in an indexer cluster by default. The merged lookup files are still included in bundle replication to support asset and identity correlation. Changing the default to include asset and identity lookup files in bundle replication might reduce system performance. See Knowledge bundle replication overview in the Splunk Enterprise Distributed Search manual.
- In Lookup List Type, asset is selected for you.
- In Lookup Field Exclusion List, select fields for the merge process to ignore. This excludes the fields and those values from the KV store collections for that particular lookup. You might use this in the case where you have a field in your source file that you don't want to rely on for information.
- Select Save.
Rank the order for merging assets
Any new asset list gets added to the bottom of the list by default. You can rank the order of this list to determine priority for merging assets. If an asset exists in multiple source files as a single value or exists multiple times in the same source file, this ranking is the weighted order for merging them. By default, the single value asset fields are as follows:
- is_expected
- priority
- requires_av
- should_timesync
- should_update
These are the fields where the rank takes effect. For example, If you're merging two assets and they both have the is_expected field value, you need to choose one to take precedence. The row at the top of the list takes precedence and the merge process uses that value, as opposed to the row that's ranked second.
To change the rank, do the following from the Asset Lookup tab:
- Drag and drop the rows of the table into a new order.
- When finished reordering, select Save Ranking.
Ranking is not considered for a multivalue field field. The merge process combines all the values into the field, and then removes the duplicates.
Key fields are dns
, ip
, mac
, and nt_host
. If you store extra information in your key fields, such as the same IP address assigned to multiple systems, these duplicate IP addresses are now merged together as one asset. Make sure that the information in your key fields either belongs to the same asset or does not overlap.
Turn off or turn on asset lookups
You can turn off or turn on an asset lookup input. Turning off an input does not delete the data from the associated lookup from Splunk Enterprise Security. Turning off prevents the contents of the corresponding list from being included in the merge process. Turning on a dectivated input allows the associated list to be merged at the next scheduled merge of the asset or identity data.
To turn off an asset lookup, do the following from the Asset lookups tab:
- Navigate to the Status column.
- Do one of the following options:
- Select Turn off to turn off an input.
- Select Turn on to turn on a deactivated input.
Starting with version 5.0.0, asset and identity lookup inputs are turned off by default after a new installation. However, local settings are respected after an upgrade.
Modify asset lookups
Make changes to the asset lookups in Splunk Enterprise Security to add new assets or change existing values in the lookup tables. You can also turn off or turn on existing lookups.
- In Enterprise Security, select Configure, then Datasets, then Assets and identities.
- Find the name of the asset or identity list you want to edit, and select the corresponding lookup from the Name column.
This opens the Edit Asset Manager dialog box.
- Make the required edits to modify the asset lookup.
- Select Save when you are finished.
Manually add static asset data
Manually add new static asset data to Splunk Enterprise Security by editing the Assets lookups. For example, add internal subnets, IP addresses to be allowlisted, and other static asset and identity data.
- From the Splunk Enterprise Security menu bar, select Security content then Content management.
- To add asset data, select the Assets lookup to edit it.
- Use the scroll bars to view the columns and rows in the table. Select a cell to add, change, or remove content.
- Save your changes.
Then you can see the lookup registered as static_assets or static_identities in Configure, then Datasets, then Assets and identities.
Turn off the demo asset lookups
The demo asset lookups are turned off by default. Turn them on if needed for testing. Turn off the demo asset lookups to prevent the demo data from being added to the primary asset and identity lookups used by Splunk Enterprise Security for asset and identity correlation.
- In Enterprise Security, select Configure, then Datasets, then Assets and identities.
- Locate the demo_assets lookups.
- Select Turn off.
Delete the asset lookup
Delete the source file configuration of an asset lookup configuration if you do not want a specific asset lookup source file to be processed when the Identity Manager modular input runs.
- In Enterprise Security, select Configure, then Datasets, then Assets and identities.
- Locate the asset lookup that you created.
You may not delete the assets that are available by default.
- In the Edit Asset Manager dialog, select Delete.
Manage asset and identity upon upgrade | Manage asset field settings in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!