Why are Splunk ES Assets and Identities so Important?
In my role as a Splunk PS consultant, I frequently need to emphasize the importance of assets and identities. These two lookups drive the value of Splunk Enterprise Security (ES), Splunk’s SIEM solution. The asset and identity lookups allow a human to meaningfully correlate information from security systems, including IDS, proxy, HIDS, AV, AD, and more. What is critical about assets and identities is the additional context provided to the notable events generated by your organization’s correlation searches.
Assets are essentially your servers and identities are essentially your users, but there is more to it than that. There are optional and required fields. Splunk highly recommends that you populate certain fields in these lookups, apart from the required ones.
Required Fields
For assets you must have at least one of the following four populated:
• ip,
• mac,
• nt_host or
• dns
It’s important to note that you do not need to populate all four fields, but you need at least one value in one of the above fields. Having multiple values, such as for multi-homed firewalls or servers, does not present an issue either as you can have multiple names, and IPs separated by pipes.
For identities you only need to populate one field:
• identity
Again, this field can have multiple entries which are pipe delimited.
Optional Fields are Still Important
The Splunk ES documentation states that the rest of the fields are optional while the priority, business unit, and category are highly recommended. In my experience, populating the priority field is absolutely critical to a successful ES deployment. Priority is critical because it is the primary field considered in risk calculations. Using this field, you can better decide which threats need to be addressed immediately and which can be dealt with in time.
A stick-in-the-ground approach will work- start with a first pass, for example, setting all firewalls or AD servers as critical and the rest of your assets as low, and then refine these settings as you continue using ES.
“In my experience, populating the priority field is absolutely critical to a successful ES deployment.”
Headers for Asset and Identity Lookups
The headers for the asset and identity lookups can be directly copied from the documents referenced below, or copied from here:
ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av
identity,prefix,nick,first,last,suffix,email,phone,phone2,managedBy,priority,bunit,category,watchlist,startDate,endDate,work_city,work_country,work_lat,work_long
Both the assets and the identities need to be csv formatted with the correct field names in the right order. Both the field order and naming convention are critical.
Splunk provides some excellent out-of-the-box searches to extract both assets and identities from Active Directory. Refer to these documents on adding the data to ES.
These “base” searches Splunk provides can be expanded and I give some examples below, where based on business criteria and naming conventions you can format the asset list:
|inputlookup AD_sample_asset_list_.csv
| rex field=nt_host “^(?…)”
| rex field=ip mode=sed “s/\s+/|/g”
| eval country = “Afghanistan”, city = case(
site=“X01”, “Kabul”,
site=“X26”, “Jalalabad”,
site=“D87”, “Kandahar”,
site=“D28”, “Baghlan”,
site=“D13”, “Taleqan”,
site=“D20”, “Charikar”,
site=“D22”, “Mitarlam”)
, bunit = case(
site = “S1”, “IED”,
site = “S1”, “IED”)
, category = case(
site = “IED”, “boom”,
site = “X01”, “server”,
site = “X98”, “server”)
, requires_av = “true”
, is_expected = if(‘nt_host’ == “HOST-001” OR ‘nt_host’ == “HOST-002” OR ‘nt_host’ == “HOST-003” OR ‘nt_host’ == “HOST-004” OR ‘nt_host’ == “HOST-005”, “true”, “”)
|table
ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_avThis is advanced SPL but, I believe any user with a week’s training and a willingness to learn can optimize these and get even more meaningful information into ES.
Essentially, I find that the eval statement with a combination of sed, rex, and the case function works best to get the results you are looking for. Naturally, there is no limit to how creative you can get with your SPL and eval.
Also note that a single line eval statement is a lot more efficient than multiple eval statements on multiple lines hence the collapsing of the eval statements for the country, city, category, requires_av, is_expected,
Continuing the Conversation
It is critical to understand and properly configure identity and asset information for a successful ES implementation. As a PS consultant or owner of the ES project in your organization, you should start your conversations about the requirements for asset and identity information before ES is installed and continue the conversation throughout the project.
Splunk Best Practices at Your Fingertips
SP6 is a Splunk consulting firm focused on Splunk professional services including Splunk deployment, ongoing Splunk administration, and Splunk development. SP6 has a separate division that also offers Splunk recruitment and the placement of Splunk professionals into direct-hire (FTE) roles for those companies that may require assistance with acquiring their own full-time staff, given the challenge that currently exists in the market today.
