Why are Splunk ES Assets and Identities so Important?
In my role as a Splunk PS consultant, I frequently need to emphasize the importance of assets and identities. These two lookups drive the value of Splunk Enterprise Security (ES), Splunk’s SIEM solution. The asset and identity lookups allow a human to meaningfully correlate information from security systems, including IDS, proxy, HIDS, AV, AD, and more. What is critical about assets and identities is the additional context provided to the notable events generated by your organization’s correlation searches.
Assets are essentially your servers and identities are essentially your users, but there is more to it than that. There are optional and required fields. Splunk highly recommends that you populate certain fields in these lookups, apart from the required ones.
For assets you must have at least one of the following four populated:
• nt_host or
It’s important to note that you do not need to populate all four fields, but you need at least one value in one of the above fields. Having multiple values, such as for multi-homed firewalls or servers, does not present an issue either as you can have multiple names, and IPs separated by pipes.
For identities you only need to populate one field:
Again, this field can have multiple entries which are pipe delimited.
Optional Fields are Still Important
The Splunk ES documentation states that the rest of the fields are optional while the priority, business unit, and category are highly recommended. In my experience, populating the priority field is absolutely critical to a successful ES deployment. Priority is critical because it is the primary field considered in risk calculations. Using this field, you can better decide which threats need to be addressed immediately and which can be dealt with in time.
A stick in the ground approach will work- start with a first pass, for example, setting all firewalls or AD servers as critical and the rest of your assets as low and then refine these settings as you continue using ES.
Headers for Asset and Identity Lookups
The headers for the asset and identity lookups can be directly copied from the documents referenced below, or copied from here:
Splunk provides some excellent out of the box searches to extract both assets and identities from Active Directory. Refer to these documents on adding the data to ES.
These “base” searches Splunk provides can be expanded and I give some examples below, where based on business criteria and naming conventions you can format the asset list:
| rex field=nt_host “^(?<site>…)”
| rex field=ip mode=sed “s/\s+/|/g”
| eval country = “Afghanistan”, city = case(
, bunit = case(
site = “S1”, “IED”,
site = “S1”, “IED”)
, category = case(
site = “IED”, “boom”,
site = “X01”, “server”,
site = “X98”, “server”)
, requires_av = “true”
, is_expected = if(‘nt_host’ == “HOST-001” OR ‘nt_host’ == “HOST-002” OR ‘nt_host’ == “HOST-003” OR ‘nt_host’ == “HOST-004” OR ‘nt_host’ == “HOST-005”, “true”, “”)
This is advanced SPL but, I believe any user with a week’s training and a willingness to learn can optimize these and get even more meaningful information into ES.
Essentially, I find that the eval statement with a combination of sed, rex, and the case function work best to get to the results you are looking for. Naturally, there is no limit to how creative you can get with your SPL and eval.
Also note that a single line eval statement is a lot more efficient than multiple eval statements on multiple lines hence the collapsing of the eval statements for the country, city, category, requires_av, is_expected,
Continuing the Conversation
It is critical to understand and properly configure identity and asset information for a successful ES implementation. As a PS consultant or owner of the ES project in your organization, you should start your conversations about the requirements for asset and identity information before ES is installed and continue the conversation throughout the project.
Splunk Best Practices at Your Fingertips
Aditum’s Splunk Professional Services consultants can assist your team with best practices to optimize your Splunk deployment and get more from Splunk. Our certified Splunk Architects and Splunk Consultants manage successful Splunk deployments, environment upgrades and scaling, dashboard, search, and report creation, and Splunk Health Checks. Aditum also has a team of accomplished Splunk Developers that focus on building Splunk apps and technical add-ons.
Contact us directly to learn more.