Splunk® Enterprise Security

Administer Splunk Enterprise Security

Splunk Enterprise Security (ES) versions 6.0.0, 6.0.1, and 6.3.0 are no longer available for download from Splunkbase as of April 15, 2021. Please upgrade to the latest version of Splunk Enterprise Security to avoid any potential issues with Assets and Identity management.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Format an asset or identity list as a lookup in Splunk Enterprise Security

Format your collected asset or identity data into a lookup file so that it can be processed by Splunk Enterprise Security.

Prerequisite Collect and extract asset and identity data for Splunk Enterprise Security

Steps

  1. Create a plain text, CSV-formatted file with Unix line endings and a .csv file extension.
  2. Use the correct headers for the CSV file. See Asset lookup header or Identity lookup header for the headers expected by Splunk Enterprise Security.
  3. Populate the rows of the CSV with the asset or identity fields. The maximum number of characters per value in a field is 975. For a multivalue field, each value in the list can be 975 characters. See Asset lookup fields or Identity lookup fields for reference.

For an example asset list, review the Demonstration Assets lookup.

  • Locate the list in Splunk Web by navigating to Configure > Content > Content Management.
  • Locate the list in the file system, the demo_assets.csv file is located in the SA-IdentityManagement/lookups/ directory.

If you use a custom search to generate a lookup, make sure that the lookup produced by the search results contains fields that match the headers.

Next step

Configure the new asset or identity list in Splunk Enterprise Security

Asset and identity lookup configurations

Enterprise Security manages specific props.conf settings as part of the asset and identity framework. In order for these files to be configured properly, all configurations need to be populated in the SPLUNK_HOME/etc/apps/SA-IdentityManagement/local/props.conf file. If there are existing identity correlation lookup definitions in the SPLUNK_HOME/etc/apps/SA-IdentityManagement/default/props.conf file, remove them so they can be managed by the asset and identity framework.

Asset lookup header

ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av,cim_entity_zone

Asset lookup fields

Populate the following fields in an asset lookup.

To add multi-homed hosts or devices to the asset list, add each IP address to the ip field for the host, pipe-delimited. Multi-homed support is limited, and having multiple hosts with the same IP address on different network segments can cause conflicts in the merge process.

Field Data type Description Example values
ip pipe-delimited numbers A pipe-delimited list of single IP address or IP ranges. An asset is required to have an entry in at least one of the key fields such as: ip, mac, nt_host, or dns fields. All of the key fields are multi-value fields. 2.0.0.0/8|1.2.3.4&#192.168.15.9-192.168.15.27|5.6.7.8|10.11.12.13
mac pipe-delimited strings A pipe-delimited list of MAC address. An asset is required to have an entry in at least one of the key fields such as: ip, mac, nt_host, or dns fields. All of the key fields are multi-value fields. 00:25:bc:42:f4:60|00:50:ef:84:f1:21|00:50:ef:84:f1:20
nt_host pipe-delimited strings A pipe-delimited list of Windows machine names. An asset is required to have an entry in at least one of the key fields such as: ip, mac, nt_host, or dns fields. All of the key fields are multi-value fields. ACME-0005|SSPROCKETS-0102|COSWCOGS-013
dns pipe-delimited strings A pipe-delimited list of DNS names. An asset is required to have an entry in at least one of the key fields such as: ip, mac, nt_host, or dns fields. All of the key fields are multi-value fields. acme-0005.corp1.acmetech.org|SSPROCKETS-0102.spsp.com|COSWCOGS-013.cwcogs.com
owner string The user or department associated with the device f.prefect@acmetech.org, DevOps, Bill
priority string Recommended. The priority assigned to the device for calculating the Urgency field for notable events on Incident Review. An "unknown" priority reduces the assigned Urgency by default. For more information, see How urgency is assigned to notable events in . unknown, low, medium, high or critical.
lat string The latitude of the asset in decimal degrees, using +/- to indicate direction. 37.780080
long string The longitude of the asset in decimal degrees, using +/- to indicate direction. -122.420170
city string The city in which the asset is located Chicago
country string The country in which the asset is located USA
bunit string Recommended. The business unit of the asset. Used for filtering by dashboards in . EMEA, NorCal
category pipe-delimited strings Recommended. A pipe-delimited list of logical classifications for assets. Used for asset and identity correlation and categorization. See Asset/Identity Categories. server|web_farm|cloud
pci_domain pipe-delimited strings A pipe-delimited list of PCI domains. See Configure assets in the Splunk App for PCI Compliance Installation and Configuration Manual. cardholder, trust|dmz, untrust
If left blank, defaults to untrust.
is_expected boolean Indicates whether events from this asset should always be expected. If set to true, the Expected Host Not Reporting correlation search performs an adaptive response action when this asset stops reporting events. "true", or blank to indicate "false"
should_timesync boolean Indicates whether this asset must be monitored for time-sync events. It set to true, the Should Timesync Host Not Syncing correlation search performs an adaptive response action if this asset does not report any time-sync events from the past 24 hours. "true", or blank to indicate "false"
should_update boolean Indicates whether this asset must be monitored for system update events. "true", or blank to indicate "false"
requires_av boolean Indicates whether this asset must have anti-virus software installed. "true", or blank to indicate "false"
cim_entity_zone string Required when entity zones are enabled. Lowercase word to use as a default zone name. For use in situations when you have mergers or acquisitions with other companies, for example, and you have similar IP address spaces that you need to keep separate. This word auto-populates in the cim_entity_zone fields if you do not specify your own values when formatting an asset or identity list as a lookup. my_zone

You can also customize asset fields. See Manage asset field settings in .

Identity lookup header

identity,prefix,nick,first,last,suffix,email,phone,managedBy,priority,bunit,category,watchlist,startDate,endDate,work_city,work_country,work_lat,work_long,cim_entity_zone

Identity lookup fields

Field Data type Description Example
identity pipe-delimited strings Required. A pipe-delimited list of username strings representing the identity. After the merge process completes, this field includes generated values based on the identity lookup configuration settings.

a.vanhelsing|abraham.vanhelsing|a.vanhelsing@acmetech.org

prefix string Prefix of the identity. Ms., Mr.
nick string Nickname of an identity. Van Helsing
first string First name of an identity. Abraham
last string Last name of an identity. Van Helsing
suffix string Suffix of the identity. M.D., Ph.D
email string Email address of an identity. a.vanhelsing@acmetech.org
phone string A pipe delimited field for telephone number of an identity. 123-456-7890
managedBy string A username representing the manager of an identity. phb@acmetech.org
priority string Recommended. The priority assigned to the identity for calculating the Urgency field for notable events on Incident Review. An "unknown" priority reduces the assigned Urgency by default. For more information, see How urgency is assigned to notable events in Splunk Enterprise Security. unknown, low, medium, high or critical.
bunit string Recommended. A group or department classification for identities. Used for filtering by dashboards in . Field Reps, ITS, Products, HR
category pipe-delimited strings Recommended. A pipe-delimited list of logical classifications for identities. Used for asset and identity correlation and categorization. See Asset/Identity Categories. Privileged|Officer|CISO
watchlist boolean Marks the identity for activity monitoring. Accepted values: "true" or empty. See User Activity Monitoring in this manual.
startDate string The start or hire date of an identity. Formats: %m/%d/%Y %H:%M, %m/%d/%y %H:%M, %s
endDate string The end or termination date of an identity. Formats: %m/%d/%Y %H:%M, %m/%d/%y %H:%M, %s
work_city string The primary work site City for an identity.
work_country string The primary work site Country for an identity.
work_lat string The latitude of primary work site City in decimal degrees, using +/- to indicate direction. 37.780080
work_long string The longitude of primary work site City in decimal degrees using +/- to indicate direction. -122.420170
cim_entity_zone string Required when entity zones are enabled. Lowercase word to use as a default zone name. For use in situations when you have mergers or acquisitions with other companies, for example, and you have similar identities that you need to keep separate. This word auto-populates in the cim_entity_zone fields if you do not specify your own values when formatting an asset or identity list as a lookup. my_zone

You can also customize identity fields. See Manage identity field settings in .

Last modified on 22 November, 2021
Collect and extract asset and identity data in Splunk Enterprise Security   Configure a new asset or identity list in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters