Set up directories for Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence includes 2 internal data sources for enrichment: a company subnet directory and a company user directory. Populate these directories to locate assets on internal networks and provide context on user IDs.

Populate the company subnet directory

You can incorporate location data from your company into Splunk Asset and Risk Intelligence if you have a subnet listing. Populating a company subnet directory is optional, but you might want to use one to identify asset locations.

To populate the company subnet directory, complete the following steps:

Select Admin then Data enrichment and then Company subnet directory.
Update the subnet listing by uploading a CSV file, entering a Splunk search, or manually entering the subnet fields. Follow the steps for your preferred method:


Method	Steps
Upload a CSV file	Select the upload icon ( ). The CSV file you upload must contain the required subnet listing fields. See Required subnet listing fields. Using the drop-down list, select whether you want to Merge or Overwrite any existing data. Select Upload. Note: The maximum upload size limit is 5mb. Upload larger files or files containing fields with different names using the Splunk lookup functionality.
Enter a Splunk search	Select the search icon ( ). Enter your search using the Search Processing Language (SPL). The search must return the required subnet listing fields. See Required subnet listing fields. For example, the end of a search looks like the following: `\| table subnet, location_id, city, state, country, region, provider, type, vlan, description, zone` Select Merge or Overwrite for the Search mode. You can choose to overwrite any existing subnets with the search, or you can merge the search with existing subnets, including entries that have already been manually added. (Optional) If you want to run the search immediately, select Run search. Selecting this option runs the search before the designated cron schedule. (Optional) Preview your search results by selecting Preview search. Select Save.
Manually enter the subnet fields	Select the add icon ( + ). Enter a value for each subnet field. Select Add.

After you populate the company subnet directory, you can manually add more entries by selecting the add icon ( add ), and you can edit, clone, or remove entries using the actions icons.

Required subnet listing fields

The subnet listing must contain the following fields:


Field	Value
subnet	Subnet and mask. For example, 10.10.10.10/24.
zone	Subnet IP zone of the entry.
location_id	Any location ID used by the business.
bunit	Business unit of the subnet.
environment	Environment of the subnet. For example, "dev" or "test".
description	Description of the subnet entry.
provider	Name of a provider. For example, AWS.
city	City name for the entry.
state	2-digit U.S. state or Canadian province. For example, "ON".
country	2-digit country code. For example, "US".
region	Region. For example, "AMER" or "EMEA".
type	Subnet type of the entry.
priority	Priority of the subnet. For example, "Critical" or "Low".
vlan	Subnet virtual LAN of the entry.

Note: Some fields can have null values, but the fields must be included in the lookup table header. Don't change null values to "unknown" or something similar.

Add entity zones to the company subnet directory

With zones, you can differentiate network areas with the same IP address. For example, if a company acquires another company, you might want to specify a zone for each subnet entry.

To use entity zones, you must identify a zone for each entry in the company subnet directory and also for each data source you add to Splunk Asset and Risk Intelligence.

Note: By default, each subnet entry has a Zone value of default, and each data source has an ip_zone value of default. If you don't want to use zones, you don't need to edit these values.

Prerequisite

You must turn on entity zones in Configuration settings before adding a zone to the company subnet directory. See Turn on or turn off entity zones.

To add a new zone in the company subnet directory, complete the following steps:

Select Admin then Data enrichment and then Company subnet directory.
Select the add icon (+) to add a new subnet entry to your company subnet directory.
Enter values for the subnet fields including a new name for Zone.
Select Add.
Select the add icon (+) to add additional subnet entries with the new entity zone.
Note: You can't edit the zone for existing subnet entries.

After you add zones to your company subnet directory, make sure to also identify zones for each data source you add. See Data source field mapping reference.

Populate the company user directory

You must populate the company user directory to store asset context such as user IDs and email addresses.

To populate the company user directory, complete the following steps:

Select Admin then Data enrichment and then Company user directory.
Update the user listing by uploading a CSV file, entering a Splunk search, or manually entering the user fields. Follow the steps for your preferred method:


Method	Steps
Upload a CSV file	Select the upload icon ( ). The CSV file you upload must contain the required user listing fields. See Required user listing fields. Using the drop-down list, select whether you want to Merge or Overwrite any existing data. Select Upload. Note: The maximum upload size limit is 5mb. Upload larger files or files containing fields with different names using the Splunk lookup functionality.
Enter a Splunk search	Select the search icon ( ). Enter your search using the Search Processing Language (SPL). The search must return the required user listing fields. See Required user listing fields. For example, the end of a search looks like the following: `\| table user_id, user_first, user_last, user_email, user_business, user_bunit, user_category, user_title user_location_id, user_city, user_state, user_country, user_start_date, user_end_date, user_priority, user_first_created, user_last_updated` Select Merge or Overwrite for the Search mode. You can choose to overwrite any existing user data with the search, or you can merge the search with existing user data, including entries that have already been manually added. (Optional) If you want to run the search immediately, select Run search. Selecting this option runs the search before the designated cron schedule. (Optional) Preview your search results by selecting Preview search. Select Save.
Manually enter the user fields	Select the add icon ( + ). Enter a value for each user field. Select Add.

After you populate the company user directory, you can manually add more entries by selecting the add icon ( add ), and you can edit, clone, or remove entries using the actions icons.

Required user listing fields

The user directory listing must contain the following fields:


Field	Value
user_id	The username for the listing.
user_first	First name of the user.
user_last	Last name of the user.
user_category	Category of the user. For example, "contractor" or "employee".
user_email	Email address of the user.
user_title	The job title of the user.
user_business	Business of the user.
user_bunit	Business unit of the user.
user_city	City where the user is based.
user_state	2-digit U.S. state or Canadian province where the user is based. For example, "ON".
user_country	2-digit country code where the user is based. For example, "US".
user_location_id	Location ID used by the business to identify a company location.
user_region	Region where the user is based. For example, "APAC" or "AMER".
user_priority	The priority of the user. For example, an executive might be "high" priority.
user_start_date	The date the user started at the company.
user_end_date	The date the user left the company.