Identify assets in your environment
Asset data refers to information about the devices that are owned by your company. Splunk UBA ingests asset data from Splunk Enterprise daily using asset lookup queries. Splunk UBA uses this predefined device information in the following ways:
- An in-memory cache is used to store some of the asset lookup results, which are used by Splunk UBA to perform device resolution. For more information on how Splunk UBA uses asset data to resolve device names, see Device resolution in Splunk UBA in Use Splunk User Behavior Analytics.
- Exclude devices such as domain controllers, exchange servers, file servers, print servers or proxy servers that are not associated with a specific user.
- Display additional metadata for devices in the system.
You can update the asset data information in Splunk UBA using one of the following methods:
- To perform queries against the Splunk platform, see Perform asset identification by using the Splunk Assets data source .
- If you are unable to perform direct searches on the Splunk platform, see Perform asset identification by using a CSV file.
Prerequisites for performing asset identification
You must perform asset identification after HR data is loaded into Splunk UBA, but before any event data is loaded.
In addition, verify the following on Splunk Enterprise:
- The
ldapsearch
command must be available and capable of accessing the LDAP server. Theldapsearch
command is used by the asset domain controller query to identify and exclude the domain controllers in your environment. See Perform asset identification by using the Splunk Assets data source.Splunk UBA cannot obtain domain controller information in Splunk Cloud Platform environments.
- If you have Splunk Enterprise Security (ES), the asset table must be reachable through Splunk Enterprise. Access to the asset table is required to access the asset database.
- References to indexes and sources of Windows Security events in Splunk Enterprise must be available. Splunk UBA's asset proxy query makes use of Windows events 4624 and 4769 to identify and exclude proxy servers in your environment. See Perform asset identification by using the Splunk Assets data source.
Not all data at your site might be properly processed. In some cases, you might receive an error message in Splunk UBA, and in others, only in the log file.
Asset data fields
Assets in Splunk UBA can be searched using the fields below.
Field | Data Type | Description | Example |
---|---|---|---|
hostname | string | Required. The hostname of the device. | server1 |
denyListDeviceIr | boolean | Recommended. Indicates whether or not any IP addresses are associated with the MAC address for this device. Set to true to prevent any IP addresses from being associated with the MAC address for this device. See Exclude identity resolution for devices or users. |
false |
denyListUserIr | boolean | Recommended. Indicates whether or not any users are associated with this device. Set to true to prevent any users from being associated with this device. See Exclude identity resolution for devices or users. |
false |
app | string | The application name. | Database |
asset_tag | string | The asset ID on the physical asset tag such as a sticker that is typically placed on each device in your organization. | 123456 |
bunit | string | The business unit that the device belongs to. | EMEA, NorCal |
city | string | The city where the device is located. | Chicago |
cost_center | string | The cost center that the device belongs to. | SP01FIN |
country | string | The country where the device is located. | USA |
created_by | string | The name of the user who created the device in the system. | DevOps |
department | string | The department that the device belongs to. | Field Reps, ITS, Products, HR |
deviceType | string | The type of device. | client |
dns_domain | string | The domain of the device. | www.acmetech.org |
dns | string | The FQDN of the device. | server1.corp1.acmetech.org |
ip | array | The IP address of the device. The field can contain multiple values. See Configure asset ingestion for multi-valued fields. | 2.1.1.1 |
is_expected | boolean | Indicates whether or not this device is always expected. Alerts are generated if this device stops reporting events. | true |
latitude | string | The latitude location of the device. | 37.780080 |
longitude | string | The longitude location of the device. | -122.420170 |
mac | array | The MAC address of the device. The field can contain multiple values. See Configure asset ingestion for multi-valued fields. | 00:50:ef:84:f1:21|00:50:ef:84:f1:20 |
managed_by | string | The manager of the device. | admin |
os | string | The operating system running on the device. | macOS, WIndows |
os_domain | string | The OS domain of the device. | Windows |
owner | string | The owner of the device. | f.prefect@acmetech.org, DevOps, Bill |
pci_domain | string | The PCI address domain of the device. | dmz, untrust |
serial | string | The serial number of the device. | AB1C24D5EFGH |
status | string | The hexadecimal Windows status code for the device. | 0XC0000234 (user is currently locked out) |
substatus | string | The hexadecimal sub-status code for the device. | 0XC000006D (invalid username or authentication) |
sys_created_on | timestamp | The date and time stamp of when the device was first entered into the system. The format is MM/DD/YYYY . |
05/01/2019 |
sys_updated_on | timestamp | The data and time stamp of the last time the device was updated. For example, a laptop might be assigned to a new owner. The format is MM/DD/YYYY . |
05/01/2019 |
Configure asset ingestion for multivalue fields
Some assets can have multiple values in a field, such as multiple IP addresses or MAC addresses. Splunk UBA creates separate devices for each IP address or MAC address if the addresses are separate by commas, as shown in the following example:
192.168.10.10,192.168.10.20,192.168.10.30
For data sources such as Splunk Enterprise Security (ES) that use a delimiter other than a comma, update the attribution.keyvalue.delimiter
property in the /etc/caspida/local/conf/uba-site.properties
file to specify the desired delimiter.
For example, perform the following tasks to specify that multiple IP and MAC addresses are separated using a pipe (|
) character instead of a comma:
- Log in to the management node of your Splunk UBA deployment as the caspida user.
- Edit the
/etc/caspida/local/conf/uba-site.properties
file and add or edit theattribution.keyvalue.delimiter
property so it looks like the following:attribution.keyvalue.delimiter=Device.ip=\\|,Device.mac=\\|
Attribute element Description Device.ip
The ip
attribute ofDevice
attribution. This element is case-sensitive.Device.mac
The Mac
attribute ofDevice
attribution. This element is case-sensitive.\\|
The regex of the desired delimiter. This example takes the IP addresses
192.168.10.10|192.168.10.20|192.168.10.30
and stores them as follows in Splunk UBA:{192.168.10.10,192.168.10.20,192.168.10.30}
Remove or comment out theattribution.keyvalue.delimiter
property to use a comma as the delimiter for multivalue fields. - Synchronize your Splunk UBA cluster after making any changes to your
uba-site.properties
file:/opt/caspida/bin/Caspida sync-cluster /etc/caspida/local/conf
Perform asset identification by using the Splunk Assets data source
After you meet the requirements for performing asset identification, you can begin asset identification by using the Splunk Assets data source.
Perform the following tasks to configure a Splunk Assets data source in Splunk UBA.
- In Splunk UBA, select Manage > Data Sources.
- Click New Data Source.
- Scroll down to the Device Attribution section, select Splunk Assets, and then click Next.
- Enter the connection details to the Splunk platform, and then click Next. If you are connecting to Splunk ES, specify the Splunk ES search head as the URL of the data source.
- A sample query
sourcetype=WinEventLog:Security
is populated in the Query field to get AD multiline events. If you have AD XML events in your environment, change the query accordingly, such assourcetype=XmlWinEventLog
. You must validate that this query is returning the desired AD events in your environment. This query is used by the asset proxy query to identify and exclude the proxies in your environment. - In the Domains field, specify a comma-separated list of domains in your environment. This list of domains is used by the assets domain controller query to identify and exclude the domain controllers in your environment.
- In the Schedule field, specify the frequency with which asset queries are run. The frequency interval begins when the data source is configured. For example, if you finish configuring the data source at 3:30PM and you select Daily as the frequency, Splunk UBA refreshes the asset data each day at 3:30PM.
- Click OK.
After the data source is configured, Splunk UBA performs asset data queries at the scheduled interval using the following queries:
Query | Description |
---|---|
Asset domain controller query | This query is located in /opt/caspida/conf/asset_dc_query.txt and performs an ldapsearch to identify and exclude the domain controllers in your environment. This query uses the domains specified in the Domains field when configuring a Splunk Assets data source.
|
Asset ES query | This query is located in /opt/caspida/conf/asset_es_pull_query.txt and uses the assets macro to obtain the assets data in Splunk ES.
|
Asset proxy query | There are two queries:
The proxy query performs an SPL If you have XML format Windows Event Security logs, perform the following tasks:
|
Perform asset identification by using a CSV file
Perform asset identification by using a CSV file when you are not able to perform direct searches. Perform the LDAP query to create a lookup CSV file, then use the CSV file in a lookup query.
Use the following example as a guideline, and replace the commands and transformations as needed for your environment.
Perform the following steps:
- To create a Splunk Assets data source, see Perform asset identification by using the Splunk Assets data source .
- Schedule an LDAP query as a job to run every night around 10:00 PM local time. See Scheduling searches in the Splunk Enterprise Search Manual.
- Specify an LDAP query such as shown in the following example and create the CSV file:
| ldapsearch domain=<domain-name> search="(&(objectCategory=computer)(sAMAccountName=*))" attrs="accountExpires,cn,countryCode,dNSHostName,department,description,distinguishedName,division,isCriticalSystemObject,lastLogoff,lastLogon,lastLogonTimestamp,localPolicyFlags,logonCount,name,objectCategory,objectGUID,objectSid,operatingSystem,operatingSystemVersion,primaryGroupID,pwdLastSet,sAMAccountName,sAMAccountType,userAccountControl,whenChanged,whenCreated" | outputlookup uba_ldapsearch_computers.csv | stats count
Be sure to replace
domain-name
with an appropriate domain name for your environment. - Make local copies of the existing asset configuration files and put them in the
/etc/caspida/local/conf
folder:cp -a /etc/caspida/conf/asset_* /etc/caspida/local/conf/.
- For each asset configuration file add a lookup query such as shown in the following example to
/etc/caspida/local/conf/asset_dc_query.txt
:| inputlookup uba_ldapsearch_computers.csv | fields - _raw | rex max_match=0 field=distinguishedName ".*?OU=(?<groups>[^,=]+),.*?" | eval deviceType=mvjoin(groups, " - ") | rename name as hostname, dNSHostName as dns, operatingSystem as os, countryCode as country, whenCreated as sys_created_on, whenChanged as sys_updated_on | eval blackListUserIr=IF((lower(deviceType)="domain controllers" OR like(lower(deviceType), "%prox%") OR like(lower(deviceType), "%exch%") OR like(lower(deviceType), "%dns%") OR lower(deviceType)="azurecoread"),"true","false") | table accountExpires,blackListUserIr,cn,country,department,description,deviceType, distinguishedName,division,dns,hostname,isCriticalSystemObject,lastLogoff,lastLogon, lastLogonTimestamp,localPolicyFlags,logonCount,objectCategory,objectGUID,objectSid, operatingSystemVersion,os,primaryGroupID,pwdLastSet,sAMAccountName,sAMAccountType, sys_updated_on,sys_created_on,userAccountControl
- Repeat step 5 for the other two asset configuration files
/etc/caspida/local/conf/asset_es_pull_query.txt
and/etc/caspida/local/conf/asset_proxy_query.txt
with valid queries that return no results.
For example:| inputlookup uba_ldapsearch_computers.csv | search deviceType="abc"
- Restart the job manager:
sudo service caspida-jobmanager stop sudo service caspida-jobmanager start
View assets in your environment
Select Manage > Assets to view the assets identified in your environment.
Use Add Filter to limit the devices shown on this page.
Make changes to your HR data | Exclude identity resolution for devices or users |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1
Feedback submitted, thanks!