Configure lookups in the InfoSec app for Splunk
Use the lookups that are bundled in the Infosec app for Splunk to enrich the event data within your environment. You can modify the following lookups to provide additional context when viewing certain data within the InfoSec app:
- Host
- User
Requirements
To configure lookups through the InfoSec app, download the Splunk Lookup File Editor app on Splunkbase.
Configure the Host lookup for information on hosts
Use the Host lookup to manually enter the context associated with your organization's assets. You can record fields, such as location, description, owner, priority, make, and model. The information in this lookup table is mapped to events within the Splunk platform through the IP address of the host.
You can configure this lookup manually through the InfoSec app or write a search that regularly populates this lookup from Active Directory and other sources.
Configure the User lookup for information on user events
Use the User lookup to enrich the user event data within your environment with additional information. You can enrich user event data to assist with triaging and creating actionable events during investigation. You can configure the User lookup to record fields such as the full-name, phone number, email address, priority, and so on.
You can configure this lookup manually through the InfoSec app or write a search that regularly populates this lookup from Active Directory and other sources.
| Perform a health check using the InfoSec app for Splunk |
This documentation applies to the following versions of Splunk® InfoSec App: 1.6.4, 1.7.0
Download manual
Feedback submitted, thanks!