Manage internal lookups in Splunk Enterprise Security
Splunk Enterprise Security provides and maintains internal lookups to support dashboards, searches, and other internal processes.
These lookups are created in several ways.
- Populated by a static lookup table
- Populated internally by search commands, called a search-driven lookup
- Populated with information from the Internet
The internal lookups populated with information from the Internet are used by some detections to identify hosts that are recognized as malicious or suspicious according to various online sources, such as the SANS Institute. If Splunk Enterprise Security is not connected to the Internet, these lookup files are not updated and the detections that rely on the lookups might not function correctly. Most of the internal lookups populated by the Internet are threat intelligence sources. See Configure intelligence source integrations in Splunk Enterprise Security in this manual.
Select Security content then Content management to view the existing lookups that you can edit in Splunk Enterprise Security.
Splunk Enterprise Security uses the internal lookups in different ways.
Lookup type | Description | Example |
---|---|---|
List | Small, relatively static lists used to enrich dashboards. | Categories |
Asset or identity list | Maintained by a modular input and searches. See How Splunk Enterprise Security processes and merges asset and identity data. | Assets |
Threat intelligence collections | Maintained by several modular inputs. See Threat intelligence framework in Splunk ES on the Splunk developer portal. | Local Certificate Intel |
Tracker | Search-driven lookups used to supply data to dashboard panels. | Malware Tracker |
Per-panel filter lookup | Used to maintain a list of per-panel filters on specific dashboards. | HTTP Category Analysis Filter |
Internal lookups that you can modify
Some lookups are managed by searches (search-driven lookups), and others you update manually. This table lists the lookups that you might need to modify in Splunk Enterprise Security.
Lookup name | Type | Description | Usage details |
---|---|---|---|
Action History Search Tracking Allowlist | List | Add searches to this allowlist to prevent them from creating action history items for investigations. | Type a start_time of 1 to allowlist the search. Type a start_time and an end_time to allowlist the search for a specific period of time. |
Administrative Identities | List | You can use this lookup to identify privileged or administrative identities on relevant dashboards such as the Access Center and Account Management dashboards. | Modify the category column to indicate the privileged status of an account. Specify privileged default accounts with default|privileged , or type privileged for privileged accounts that are not default accounts, or default for default accounts that are not privileged.
|
Application Protocols | List | Used by the Port and Protocol dashboard. | See Application Protocols. |
Asset/Identity Categories | List | You can use this to set up categories to use to organize an asset or identity. Common categories for assets include compliance and security standards such as PCI or functional categories such as server and web_farm. Common categories for identities include titles and roles. | See Asset/Identity Categories. |
Assets | Asset list | You can manually add assets in your environment to this lookup to be included in the asset lookups used for asset correlation. | See Manage assets and identities in Splunk Enterprise Security. |
Demonstration Assets | Asset list | Provides sample asset data for demonstrations or examples. | Turn off the lookup for use in production environments. See Manage assets and identities in Splunk Enterprise Security. |
Demonstration Identities | Identity list | Provides sample identity data for demonstrations or examples. | Turn off the lookup for use in production environments. See Manage assets and identities in Splunk Enterprise Security. |
ES Configuration Health Filter | Per-panel filter lookup | Per-panel filtering for the ES Configuration Health dashboard. | See Configure per-panel filtering in Splunk Enterprise Security. |
Expected Views | List | Lists Enterprise Security views for analysts to monitor regularly. | See Expected Views. |
HTTP Category Analysis Filter | Per-panel filter lookup | Per-panel filtering for the HTTP Category Analysis dashboard | See Configure per-panel filtering in Splunk Enterprise Security. |
HTTP User Agent Analysis | Per-panel filter lookup | Per-panel filtering for the HTTP User Agent Analysis dashboard | See Configure per-panel filtering in Splunk Enterprise Security. |
Identities | Identity list | You can manually edit this lookup to add identities to the identity lookup used for identity correlation. | See Manage assets and identities in Splunk Enterprise Security. |
IIN and LUHN Lookup | List | Static list of Issuer Identification Numbers (IIN) used to identify likely credit card numbers in event data. |
Outputting credit card numbers in your log data is risky. Therefore, credit card numbers from the detections, such as |
Interesting Ports | List | Used by detections to identify ports that are relevant to your network security policy. | See Interesting Ports. |
Interesting Processes | List | Used by a detection to identify processes running on hosts relevant to your security policy. | See Interesting Processes. |
Interesting Services | List | Used by a detection to identify services running on hosts relevant to your security policy. | See Interesting Services. |
Modular Action Categories | List | Used to categorize the types of adaptive response actions available to select. | Add a custom category to categorize a custom adaptive response action on the analyst queue or the detection editor. |
New Domain Analysis | Per-panel filter lookup | Per-panel filtering for the New Domain Analysis dashboard. | See Configure per-panel filtering in Splunk Enterprise Security. |
PCI Domain Lookup | Identity list | Used by the Splunk App for PCI Compliance to enrich the pci_domain field. Contains the PCI domains relevant to the PCI standard. |
See Set up asset categories. |
Primary Functions | List | Identifies the primary process or service running on a host. Used by a detection. | See Primary Functions. |
Prohibited Traffic | List | Identifies process and service traffic prohibited in your environment. Used by a detection. | See Prohibited Traffic. |
Risk ObjectTypes | List | The types of entities available. | Edit the lookup to create a custom entity type. You can then filter on the new entity type or add a new risk entry on the Risk Analysis dashboard. See How entities impact risk scores in Splunk Enterprise Security. |
Security Domains | List | Lists the security domains that you can use to categorize findings when created and on the analyst queue. | Edit the lookup and add a custom security domain. |
Threat Activity Filter | Per-panel filter lookup | Per-panel filtering for the Threat Activity dashboard. | See Configure per-panel filtering in Splunk Enterprise Security. |
Traffic Size Analysis | Per-panel filter lookup | Per-panel filtering for the Traffic Size Analysis dashboard. | See Configure per-panel filtering in Splunk Enterprise Security. |
Urgency Levels | List | Urgency Levels contains the combinations of priority and severity that dictate the urgency of findings. | See Configure the settings for the analyst queue in Splunk Enterprise Security. |
URL Length Analysis | Per-panel filter lookup | Per-panel filtering for the URL Length Analysis dashboard. | See Configure per-panel filtering in Splunk Enterprise Security. |
Application Protocols
The Application Protocols list is a list of port and protocol combinations and their approval status in your organization. This list is used by the Port & Protocol Tracker dashboard. See Port & Protocol Tracker dashboard.
The following fields are available in this file.
Field | Description |
---|---|
dest_port
|
The destination port number. Must be a number from 0 to 65535. |
transport
|
The protocol of the network traffic. For example, icmp, tcp, or udp. |
app
|
The name of the application using the port. |
Asset/Identity Categories
The category list can contain any set of categories you choose for organizing an asset or an identity. A category is logical classification or grouping used for assets and identities. Common choices for assets include compliance and security standards such as PCI, or functional categories such as server and web_farm. Common choices for identities include titles and roles. For more examples, see Format an asset or identity list as a lookup in Splunk Enterprise Security.
To enrich events with category information in asset and identity correlation, you must maintain the category
field in the asset and identity lists instead of in the Asset/Identity Categories list. See Format an asset or identity list as a lookup in Splunk Enterprise Security.
There are two ways to maintain the Asset/Identity Categories list.
Run a saved search to maintain a list of categories
Splunk Enterprise Security includes a saved search that takes categories defined in the asset and identity lists and adds them to the Asset/Identity Categories list. The search is not scheduled by default.
- From the Splunk platform menu bar, select Settings > Searches, reports, alerts.
- Locate the
Identity - Make Categories - Lookup Gen
search-driven lookup or lookup generating search. - Select Edit > Activate / Turn on.
Manually maintain a list of categories
Maintain the Categories list manually by adding categories to the lookup directly. By default, you must maintain the list manually.
- Select Security content then Content management.
- Select the Asset/Identity Categories list.
- Add new categories to the list.
- Select Save.
Expected Views
The Expected Views list specifies Splunk Enterprise Security views that are monitored on a regular basis. The View Audit dashboard uses this lookup. See View Audit for more about the dashboard.
You can add views that you would expect analysts or users to monitor daily, and then you can audit to verify that they are.
- Select Security content then Content management
- Search for Expected Views lookup.
- Fill in the fields.
- Select Save.
The following table describes the fields in this file.
Field | Description |
---|---|
app
|
The application that contains the view. This is usually set to SplunkEnterpriseSecuritySuite. |
is_expected
|
Either "true" or "false". If not specified, Splunk Enterprise Security assumes by default that the view is not expected to be monitored. |
view
|
The name of the view. Available in the URL or on the Content Management dashboard. |
To find the name of a view:
- Navigate to the view in Enterprise Security.
- Look at the last segment of the URL to find the view name.
For example, the view in the following URL below is named incident_review
:
https://127.0.0.1:8000/en-US/app/SplunkEnterpriseSecuritySuite/incident_review
Interesting Ports
Interesting Ports contains a list of TCP and UDP ports determined to be required, prohibited, or insecure in your deployment. Administrators can set a policy defining the allowed and disallowed ports and modify the lookup to match that policy. To get alerts when those ports are seen in your environment, turn on the detection that triggers an alert for those ports, such as Prohibited Port Activity Detected.
The following table describes the fields in this file.
Field | Description | Example |
---|---|---|
app
|
The application or service name using the port. | Win32Time |
dest
|
The destination host for the network service. Use a wildcard * to match all hosts.
|
DARTH*, 10.10.1.100, my_host. |
dest_pci_domain
|
An optional PCI domain. Accepts a wildcard. | trust, untrust |
dest_port
|
The destination port number. Accepts a wildcard. | 443, 3389, 5900 |
transport
|
The transport protocol. Accepts a wildcard. | tcp or udp |
is_required
|
If you require the service to be running, and want the detection to create an alert if it is not running, set to true. | true or false |
is_prohibited
|
If you do not want the port to be used in your network, and want the detection to create an alert if it is in use, set to true. | true or false |
is_secure
|
If the traffic sent through the port is secure, set to true. | true or false |
note
|
Describe the service using the port and the explanation for the port policy. | Unencrypted telnet services are insecure. |
Interesting Processes
Interesting Processes contains a list of processes and whether you consider the processes required, prohibited, or secure to be running in your environment. Splunk Enterprise Security uses this list in the Prohibited Process Detected detection.
The following table describes the fields in this file.
Field | Description |
---|---|
app
|
Application name |
dest
|
Destination of the process |
dest_pci_domain
|
PCI domain, if available |
is_required
|
If the process is required to be running on the destination host, set to true. Possible values are true or false. |
is_prohibited
|
If the process is prohibited on the destination host, set to true. Possible values are true or false. |
is_secure
|
If the process is secure, set to true. Possible values are true or false. |
note
|
Describe any additional information about this process. For example, The telnet application is prohibited due to insecure authentication. |
Interesting Services
Interesting Services contains a list of services in your deployment. The detection Prohibited Service Detected uses this lookup to determine whether a service is required, prohibited, and/or secure.
The following table describes the fields in this file.
Field | Description |
---|---|
app
|
Application name |
dest
|
Destination host that the service is running on. |
dest_pci_domain
|
PCI domain of the host, if available |
is_required
|
If the service is required to be running on the host, set to true. Possible values are true or false. |
is_prohibited
|
If the service is prohibited from running on the host, set to true. Possible values are true or false. |
is_secure
|
If the service is secure, set to true. Possible values are true or false. |
note
|
Any additional information about this service. |
Primary Functions
Primary Functions contains a list of primary processes and services and their function in your deployment. Use this list to define which services are primary and the port and transport to be used by the services. This lookup is used by the Multiple Primary Functions Detected detection.
The following table describes the fields in this file.
Field | Description |
---|---|
process
|
Name of the process |
service
|
Name of the service |
dest_pci_domain
|
PCI domain of the destination host, if available |
transport
|
Protocol used for transport by the process. Possible values are tcp or udp. |
port
|
The port number used by the process. |
is_primary
|
If the process is the primary process on the host, set to true. Possible values are true or false. |
function
|
The function that the process performs. For example, proxy, authentication, database, Domain Name Service (DNS), web, or mail. |
Prohibited Traffic
Prohibited Traffic lists processes that, if seen in your network traffic, could indicate malicious behavior. This list is used by the System Center dashboard and is useful for detecting software that is prohibited by your security policy, such as IRC, data destruction tools, file transfer software, or known malicious software, such as malware that was recently implicated in an outbreak.
The following table describes the fields in this file.
Field | Description |
---|---|
app
|
The name of the process (such as echo, chargen, etc.) |
is_prohibited
|
If the process is prohibited in your environment, set to true. Possible values are true or false. |
note
|
Add a description about why the process is prohibited. |
Create and manage lookups in Splunk Enterprise Security | Expand Content Management searches to view dependency and usage information in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!