![]() Repeat steps 6 and 7 until you have created new asset configurations for each of your asset lookup definitions Go to the Asset Lookup Configuration TabĬlick on + New button and configure your new asset lookup to match the name of your Lookup Definition for Assets In the app navigation bar go to the following location: Configure→Data Enrichment→Asset and Identity Management This step will need to be repeated if you have multiple asset lookup files and independently for assets and identities. In addition, this lookup defintion needs to be shared globally to be acessible in Enterprise Security. This lookup defintion should be linked to the lookup file containing information regarding your assets or identities. To create the lookup files and link them to the asset & identity framework follow these steps:Ĭlick on New Lookup Definition. ![]() For more information on managing lookups and knowledge objects within Splunk Enterprise, please refer to the documentation linked at the beginning of this document. Important: In order to leverage lookup files from apps outside of Enterprise Security, Lookup Definitions must be created within the Splunk Enterprise Security Suite app context. Note: previous versions of the add-on require specific lookup file names to be used, but this is no longer a requirement.įor NERC CIP use cases ONLY the following fields should have values as indicated here: Field Now that you have updated the Asset Framework fields, asset and identity lookup files can be uploaded into ES. In most cases, Enable selectively by sourcetype is preferred as it results in less load on the Splunk infrastructure since it only searches for specific data sources and not across all data. Update the Asset Framework by Adding New Fields (field names are case sensitive) as shown here:Įnable asset and identity correlation on the Correlation Setup tab and set up to either Enable for all sourcetypes or Enable selectively by sourcetype and supply the required sourcetypes.Configure→Data Enrichment→Asset and Identity Management.In the app navigation bar go to the following location:.Go the Enterprise Security app in Splunk.To update the asset framework follow these steps: Fields that are mandatory from the core framework include at least one of the following: dns, ip, mac, or nt_host. ![]() Ideally all fields (including those from the core ES asset framework) are populated, but only the mandatory ones are required. The Splunk for OT Security Solution extends the ES Asset Framework to provide additional context and information about OT assets. For example, the Compliance menu containing NERC CIP dashboards may be removed if your organization is not under NERC CIP regulations. These can be dragged to the desired location in the menu hierarchy or can be modified to fit your organization's needs. The menu containing all the Operation Technology dashboards and reports will now appear.Add a New Collection→Add Existing→App:DA-ESS-OTSecurity→Select a Collection.On the Edit Navigation screen, add existing menus by selecting:.In the app navigation bar, navigate to the following location:.Go to the Enterprise Security app in Splunk.Open the Enterprise Security app in your Splunk instance.To Update the Navigation Menu follow these steps: ![]() These navigation menus include links to dashboards and that are included in the Splunk for OT Security solution. Splunk for OT Security comes with navigation menus that can be edited to suit your Enterprise Security deployment. Once the Splunk OT Security Solution app has been installed in your Splunk environment alongside your Splunk Enterprise Security app, you will need to take the following steps to configure the application for production use: Core Integration Steps ¶ Step 1: Update Navigation Menus ¶ Splunk for OT Security App (DA-ESS-OTSecurity) Configuration ¶ ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |