Asset & Identity for Splunk Enterprise Security - Part 3: Empowering Analysts with More Attributes in Notables

Dear Buttercup,

Stop me if you think you've heard this one before but now my analysts are telling me that they need to be able to take these new asset attributes and get them into our notable events so they have them automatically! You have been quite helpful so far so I am turning to you once more to help me understand how we can make this work!

Wistfully,
Steven M.

Steven, 

I’m so pleased to hear from you again and yes, this is a totally reasonable request from your analyst team. As you undoubtedly have been thinking, adding new fields to a dashboard panel is nice and informative, but analysts need this information as they review notable events. This is what we will cover today!

By default, assets (and identities), along with their associated attributes are returned with events if they are available using the automatic lookup capability, as was discussed in our first post in this series. Here we can see the field src_rack_number is populated with the rack number for this specific asset. What’s cool about this is that I didn’t need to do anything to add this field to the automatic lookup, Splunk Enterprise Security added the field to the automatic lookup when we added the new field in our configuration.

Similarly, the automatic lookup function works in the same manner for notable events (index=notable) that you review in Search. In this case, our asset is found in the dest field; the automatic lookup finds the rack number, priority and other attributes and displays them even though they are not actually in the notable event itself.

At this point, Steven, you are probably thinking you’ve got everything now, but alas that is not the case. There is one thing we will need to do to ensure the new asset fields are displayed in the notable events on the Incident Review page. If you are a regular reader of this blog, you may recall our post titled Modifying the Incident Review Page. If you don’t, no worries, we will wait for you. It will take less time than listening to “How Soon Is Now?” 

You’re back? Fantastic. Modifying the Incident Review Settings is very straightforward and can be found within Configure on the ES navigation bar. We have talked about assets being represented as the source (src), destination (dest) or as device (dvc) and the automatic lookups facilitate this. However, because the asset field could be any of those, we will need to create three entries in the Event Attributes list, as you can see below. The automatic lookup does the heavy lifting to automatically prepend dvc, dest or src to our asset fields. Once we have added the new fields to Event Attributes, we can click save at the bottom of the settings page.

Because the automatic lookup is accessing this data whenever a notable event is being viewed, we do not need to wait until new notable events are created and we can immediately see the rack number has been added to our notable! The analyst can see that the device 10.1.4.99, also called portal.thirstyberner.com is in rack 40-001 and if necessary could dispatch someone to that physical location. Obviously, there are many additional attributes that could be used with assets and identities but this is a fine place to start.

Steven, I hope you find that this helps your SOC Analysts and gives them greater flexibility to contextualize their assets (and identities). Take the time to plan out which lists of assets should be prioritized first, the new fields you are going to add and don’t forget to add them to your incident review settings. Additionally, there are many other useful fields like bunit (business unit), category, and priority that already exist to contextualize assets. Use these first and then expand to new fields if needed. Contextualization is key and the better you can describe your assets, the better visibility your analysts will have.

Until next time,
Buttercup

----------------------------------------------------
Thanks!
John Stoner