Turn on entity zones for assets and identities in
Entity zones are turned off for assets and identities by default. You can turn on entity zones to preserve enrichment with differing private IP spaces.
CIM entity zones must be updated on the asset and identity lookups. Otherwise, it might impact the field enrichment because asset and identity lookups must add the cim_entity_zone
as an input field once the zones are enabled.
Prerequisites
Perform the following prerequisite tasks before starting on these settings:
- Collect and extract asset and identity data in Splunk Enterprise Security.
- Format an asset or identity list as a lookup in Splunk Enterprise Security.
- Configure a new asset or identity list in Splunk Enterprise Security.
Turn on entity zones
Prerequisite
The CIM entity zone must be allocated when you configure the asset or identity lookup.
Follow these steps to turn on entity zones in the global settings:
- From the menu bar, select Configure, then Datasets, then Assets and identities.
- Select Correlation setup and select Activate / Turn on for all sourcetypes to turn on asset and identity correlation.
- Select the Global settings tab.
- Scroll to the Activate / Turn on Zones for Assets or Identities panel.
- Use the toggle to turn on for Assets or Identities.
- Type a lowercase word to use as a default zone name. This word auto-populates in the
cim_entity_zone
fields if you do not specify your own values when formatting an asset or identity list as a lookup. - (Optional) Select Configure zones to build a clause and specify a condition.
- In the Condition field, type a conditional statement that will evaluate to either true or false.
The condition has to match against a raw event field and value, such as:
dest = "192.0.2.1"
,src = "host1"
,location = "San Jose"
, and so on.- If the condition is not matched, the default zone name auto-populates in the
cim_entity_zone
. - If the condition is matched, such as
city = "San Jose"
, the zone that you configure in the next step will auto-populate in thecim_entity_zone
field with the value for this zone.
- If the condition is not matched, the default zone name auto-populates in the
- In the Zone field, type the name of a zone to assign when the match is made.
- Select +Add clause to add additional clauses.
- Select x to delete clauses.
- Select Confirm to save the clauses.
- Select Save.
- In the Condition field, type a conditional statement that will evaluate to either true or false.
As mentioned, the field and value that you specify in the conditional statement have to match raw event data. You can't write a conditional statement to match on a field and value from an automatic lookup. The conditional statement has to match a raw event because the entity zone field evaluation happens before the lookup enrichment happens. So the cim_entity_zone
field in the raw event is populated in one the following ways:
- Populated with the Zone name from the conditional statement when evaluating against raw events.
- Populated with the Default zone name when evaluating against raw events.
The cim_entity_zone
in the raw event is only populated in the previously mentioned ways. ES attempts to match the raw event using a "lookup field" and the cim_entity_zone
field. If the lookup and the raw event have matching values, then the event is enriched.
For more information about how correlation enriches findings with asset and identity data at search time, see Manage assets and identities to enrich findings in Splunk Enterprise Security.
Any events that do not have cim_entity_zone
specified in a lookup, or do not match any conditional statements, are assigned the default zone.
In situations where you have a cim_entity_zone
value specified in your lookup for your known entities, the default cim_entity_zone
value is not assigned if a similar event occurs from an unknown entity.
Turn off entity zones for Assets and Identities
Turn off entity zones in the global settings as follows:
- From the menu bar, select Configure, then Datasets, then Assets and identities.
- Select the Global settings tab.
- Scroll to the Activate / Turn on Zones for Assets or Identities panel.
- Use the toggle to turn off for Assets or Identities. Any previously existing default zone is turned off, not deleted.
- Select Save.
See Format an asset or identity list as a lookup in Splunk Enterprise Security.
Example
Using assets as an example, consider a default zone name of my_zone and a source file with the same ip
of 10.0.2.109, nt_host
of host1 and host2 in different zones, a cim_entity_zone
defined as an asset lookup header, and one empty cim_entity_zone
value such as the following: ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av,cim_entity_zone
192.0.2.94,,host1,,,,,,,,,,,,,,,
192.0.2.155,,host1,,,,,,,,,,,,,,,zone2
192.0.2.90,,host2,,,,,,,,,,,,,,,zone1
192.0.2.39,,host2,,,,,,,,,,,,,,,zone1
10.0.2.109,,host2,,,,,,,,,,,,,,,zone1
10.0.2.109,,host3,,,,,,,,,,,,,,,zone3
10.0.2.109,,host4,,,,,,,,,,,,,,,zone3
If you turn on entity zones, the behavior is to use the default zone name for the empty cim_entity_zone
value and not to merge key fields such as ip
and nt_host
that are in different zones.
cim_entity_zone | asset | ip | nt_host | pci_domain |
---|---|---|---|---|
my_zone |
192.0.2.94 |
192.0.2.94 | host1 | untrust |
zone2 |
192.0.2.155 |
192.0.2.155 | host1 | untrust |
zone1 |
192.0.2.90 |
192.0.2.90 |
host2 | untrust |
zone3 |
10.0.2.109 |
10.0.2.109 |
host3 |
untrust |
If you turn off entity zones, the behavior is to merge key fields such as ip
and nt_host
as usual.
asset | ip | nt_host | pci_domain |
---|---|---|---|
192.0.2.94 192.0.2.155 |
192.0.2.94 |
host1 | untrust |
192.0.2.90 192.0.2.39 |
192.0.2.90 192.0.2.39 |
host2 host3 |
untrust |
Turn off merge for assets and identities in | Ignore values for assets and identities in |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!