Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to assign priority to an asset? Splunk ES

splunky_diamond
Path Finder
a month ago

Hello, Splunkers!

I am learning Splunk ES and trying to understand how urgency value is assigned for notables generated from the correlation searches. I went over this article: How urgency is assigned to notable events in Splunk Enterprise Security - Splunk Documentation  . So, if severity is assigned in the settings of the correlation search, where do we assign the priority to assets? Can someone please explain or provide a documentation page of how this process (assigning priority) is done exactly? Specifically, I would really appreciate if someone could share, where should this be configured, whether on Enterprise Security itself, or elsewhere, is it done through GUI, or it requires manually editing some config files. 

 

Also, a bit stupid question, but, can we also assign priority to identities, for example to indicate higher priority for admin accounts rather than usual accounts. 

 

Thank you for taking your time reading and replying to my post ❤️

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
4 weeks ago

See this

https://docs.splunk.com/Documentation/ES/7.3.1/Admin/Formatassetoridentitylist

So your search will be

index=my_asset_source ...
| eval priority="high"
| table nt_host priority ...
| outputlookup my_asset_definition.csv

You just need to fill in the gaps so you can collect the fields mentioned in the document. Set the priority as you want it to be based on your business rules for defining how you want to assign priority.

 

View solution in original post

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
a month ago

Take a look at the asset and identity framework documentation

https://docs.splunk.com/Documentation/ES/7.3.1/Admin/Addassetandidentitydata

Priorities can be assigned through the searches you write to pull in A&I data or can be derived from network subnets.

Typically you may write searches to pull in data from sources and assign priorities based on criteria, such as whether the asset is a production asset, or the identity is a senior manager or a system administrator. This can be based on their job title or group membership.

 

Reply
Solved! Jump to solution

splunky_diamond
Path Finder
4 weeks ago

Hello @bowesmana , thanks for replying to my post.

Regarding your last suggestion, if I got it right, I can assign priority value in the search string itself? So far what I've read is that the identities and assets are added via lookups to Splunk, from which the information about their priority is pulled. So, if I got your suggestion about assigning priorities in the searches themselves, could you please provide an example? I would really appreciate it!

Cheers,

Splunky diamond

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
4 weeks ago

See this

https://docs.splunk.com/Documentation/ES/7.3.1/Admin/Formatassetoridentitylist

So your search will be

index=my_asset_source ...
| eval priority="high"
| table nt_host priority ...
| outputlookup my_asset_definition.csv

You just need to fill in the gaps so you can collect the fields mentioned in the document. Set the priority as you want it to be based on your business rules for defining how you want to assign priority.

 

Reply
Get Updates on the Splunk Community!

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...