Splunk® InfoSec App

User Guide

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure lookups in the InfoSec app for Splunk

Use the lookups that are bundled in the Infosec app for Splunk to enrich the event data within your environment. You can modify the following lookups to provide additional context when viewing certain data within the InfoSec app:

  • Host
  • User

Requirements

To configure lookups through the InfoSec app, download the Splunk Lookup File Editor app on Splunkbase.

Configure the Host lookup for information on hosts

Use the Host lookup to manually enter the context associated with your organization's assets. You can record fields, such as location, description, owner, priority, make, and model. The information in this lookup table is mapped to events within the Splunk platform through the IP address of the host.

You can configure this lookup manually through the InfoSec app or write a search that regularly populates this lookup from Active Directory and other sources.

Configure the User lookup for information on user events

Use the User lookup to enrich the user event data within your environment with additional information. You can enrich user event data to assist with triaging and creating actionable events during investigation. You can configure the User lookup to record fields such as the full-name, phone number, email address, priority, and so on.

You can configure this lookup manually through the InfoSec app or write a search that regularly populates this lookup from Active Directory and other sources.

Last modified on 25 February, 2021
PREVIOUS
Perform a health check using the InfoSec app for Splunk
 

This documentation applies to the following versions of Splunk® InfoSec App: 1.6.4, 1.7.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters