Asset & Identity for Splunk Enterprise Security - Part 2: Adding Additional Attributes to Assets

Dear Buttercup,

Thank you for your note, I followed your suggestions and the team has made some progress and we now see where all of our assets reside, who owns them and more! Sadly, we have hit another roadblock. The analysts want more fields to describe their assets. Because I don’t have an answer for them, there is panic on the streets of Birmingham (our HQ). I wonder to myself, “Could life ever be sane again?” Buttercup, can you help me?

With remorse,
Steven M.

Steven, 

I’m thrilled to hear you have been making progress on enumerating your assets in Splunk Enterprise Security. That said, there is no need for remorse about your most recent question around extensibility. Splunk ES can extend to address additional attributes to provide more flexibility to your analysts.

As you saw in our previous post, there are a number of fields available to characterize assets, but over time, some organizations find that they need greater flexibility in describing their assets beyond the default fields.

With the release of Enterprise Security 6.0, Splunk refreshed the Asset & Identity framework to improve scalability, but it also added extensibility, so that additional fields can be added to BOTH assets and identities.

To modify our existing configuration in ES, navigate to Configure -> Data Enrichment -> Asset and Identity. In ES 6.0, a new set of tabs have been added for settings and configuration. It is worth mentioning that this extensibility follows the same steps for both asset and identity, but our focus today is on assets.

If we want to add additional fields to our assets, we can click on the Asset Settings tab where we can view all of the current asset fields. These will include the fields that you are already familiar with like ip, nt_host, country, bunit and more.

To add an additional field, click on the green button at the top of the screen and a New Asset Field window will pop-up. For this example, we will enumerate the specific racks where our systems reside. To do this, we can add a field called rack_number and click Save. If we wanted the field to be multi-value or used as a tag, we have that option as well. We can add up to 20 additional fields to both assets and identities.

Once we are done adding our new fields, we can click on the Search Preview tab in the Asset and Identity Configuration to view the underlying search that drives content generation for assets and we can see the new field rack_number in the search.

This is very important and also very slick! The reason I say this is that with this one change, any of my lookups that have that field in it will be ingested into my master asset lookup. The other important thing to note is that if some but not all of my asset lists have this new column, the assets will still merge if the field does not exist in certain group’s asset lists, no problem, they just won’t have a value for that field, but those that do have values will be populated.

Now that our new field has been defined, we will want to ensure that the lookups that are rolling up into ES have this field populated. An easy way to check this is to navigate to the Asset Lookup Configuration tab. Remember in our first post when we prioritized these lookups?

If we click on the frothly_assets_2019 under the column Source, we can see a tabular view of the supporting source data. Sadly, this asset data does not have a rack_number in it. We will add that column in a moment, but for now, I am more interested in the Thirsty Berner ICS Assets, which if I click into, I can see that I have the column rack_number already defined and populated for some assets.

We can see that 10.1.4.99 has a rack number of 29-001. When the two lists converge, even though I don’t have the field rack_number in frothly_assets_2019, the rack_number from Thirsty Berner ICS Assets is returned in the converged asset record and if you look closely, you will notice that the priority from frothly_assets_2019 came across because it has a higher rank over the medium priority in Thirsty Berner ICS Assets. This was something we covered in our first blog on asset & identity framework if you recall, Steven.

If we wanted to add the column rack_number to previously mentioned frothly_assets_2019 lookup table we can do this directly in the UI. We can right-click, selecting Insert column right and then adding a field name and values into our asset lookup. If we were doing this on a much larger scale, we could originate this new field from an external data source, but it is important that we ensure the field is defined and data is being populated into the Source.

Let’s add a few rack numbers to our lookup, frothly_assets_2019. In a case of poor planning, our admins are not clear about where 10.1.4.99 resides and in this lookup, that system has a rack number of 40-001 assigned to it.

Notice that now when our asset tables converge, the values from frothly_assets_2019 for both priority and rack_number are returned due to its higher ranking.

We’ve covered the configuration and creation of the new field, now let’s look at how we can modify content to take advantage of this new field. For this example, we will add rack_number to the tabular Asset Information panel at the bottom of the Asset Center dashboard. Below is the default view.

To display the rack number in the Asset Information panel, we can add rack_number in the <fields> section of the SimpleXML. If we wanted to search and filter by rack_number, then additional modifications would be required to pass a token through, but it is no different than any other field at that point.

Here is a zoomed-in version of the row that must be modified with rack_number already added.

With the field added, we can see that rack_number is now another field in our Asset Information tabular panel. One last comment on this. With version 6.0 of ES, those converged asset and identity lookups are now stored in the KVStore and not in file-based lookups which will provide better performance and remove any risk of an upgrade mashing the csv.

So Steven, I hope this post helped demonstrate to you how we can extend the existing asset framework and provide you the ability to add additional fields as your analysts identify the need. You may not know all of the fields you need, these things take time, but perhaps it provides some fodder.

Until next time,
Buttercup

----------------------------------------------------
Thanks!
John Stoner