Integration Guidance with the OT Security Add-on for Splunk¶

Integrating with specific OT Data Models¶

Splunk for OT Security includes several data models that can be leveraged to automatically generate asset lookups. In addition, OT partners of Splunk should populate any hardware and software data captured or created by their add-ons to these data models.

Two data models have been created to facilitate populating assets into Splunk for Enterprise Security. The most critical model​ for asset information in the Splunk OT Security Solution is​ the OT Asset​ ​ data model contained in the Splunk for OT Security app. This data model is designed to be used with hardware assets such as servers, PLC's, workstations, etc. and contains all fields in the OT Asset Framework. An additional data model also exists called OT Software Asset​ which is used to populate additional information regarding firmware, operating system, and software present on each OT asset. Together data from each can be combined to provide additional context around an asset as well as components installed on each asset.

The OT Add-on for Splunk has specific requirements for parts of the ES Asset Framework field values and formats. These fields are used to tag and identify assets as belonging to OT systems or specific classifications. More information on the data model fields can be found below. The following outline these requirements.

Overlapping Asset Information Across Sites¶

Some vendors will re-use IP address, DNS names, and/or host names at different locations. While the site_id field can help distinguish on dashboards, the asset framework requires customization when this occurs. This specifically requires an additional field to be added to asset lookup files used by Enterprise Security called cim_entity_zone. In many cases this can be set to be the same as the site_id but can be customized as needed. For documentation on enabling this feature see the Enabling entity zones for assets and identities in Splunk Enterprise Security documentation.

Integration with Asset Inventory¶

This section outlines the basic procedures that should be used to integrate data from OT Security products with ES's Asset Framework. While each product's implementation may vary, these steps should provide additional steps to validate OT Asset information and avoid issues with bad or default values. The OT Asset Data Model should serve as the guide for field names and in the search below it is assumed mapping of field names has also been completed.

1. Run the following query within the search context of the OT Security vendors add-on :

<base search>
| makemv ip delim=\"\|\"
| mvexpand ip \`\`\`split multiple ip\'s into multiple records\`\`\`
| eval ip=if(ip=\"null\", \"\", ip), nt_host=if(nt_host=\"null\", \"\", nt_host), dns=if(dns=\"null\", \"\", dns), mac=if(mac=\"null\", \"\", mac) \`\`\`remove any null string values\`\`\`
| eval ip=if(match(ip, \"\^\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\$\"), ip, \"\") \`\`\`check to verify ip is an actual ip - if you are using IPv6 you need to change this\`\`\`
| fillnull ip, dns, nt_host, mac value=\"\"
| makemv mac delim=\"\|\"
| mvexpand mac \`\`\`split multiple macs into multiple records\`\`\`
| eventstats count as mac_count by mac \`\`\`this eliminates any questionable mac\'s that may be repeated\`\`\`
| eval mac=if(mac_count \> 1, \"\", mac)
| dedup ip, dns, nt_host, mac
| table asset_id, asset_model, asset_status, asset_system, asset_type, asset_vendor, asset_version, asset_criticality, bunit, category, city, classification, country, dns, end_of_support, exposure,ip, is_expected, lat, lon, location, mac, nt_host, owner, parent_asset_id, pci_domain, priority, requires_av, serial, should_timesync, should_update, site_id, vlan, zone

This search takes care of several formatting issues that sometimes occur with fields like IP and ensures that they map a IPv4 format. In addition, some products may report mac's which are duplicated among assets, often belonging to a common switch, router, firewall, etc. Any duplicated mac are therefore considered suspect and removed from the asset information.

Note: The tag ot_asset is applied across all data sources. If you are focused only on a particular data set, please modify the query to specify only the selected host, sources, or sourcetypes appropriately.

1. Export the above results to a csv file using the export button

   • 

2. Open Settings → Lookups → Lookup table files +Add New

   • 

   • 

3. Provide the CSV file as well as an alias that will be referenced and click save

   • 

4. Change the Permissions of the lookup file in step 4 and verify is set to be shared globally

5. Open Settings → Lookups → Lookup Definitions and click +Add New

   • 

   • 

6. Create a lookup definition which references the file from step 4 and Save (note: If the file from step 4 does not show up in the lookup file dropdown list you may need to check the lookup permissions to validate it is shared globally)

   • 

7. Change the permissions on the lookup definition so it is shared globally

8. Go to the Enterprise Security App and click on the menu Configure → Data Enrichment → Asset and Identity Framework

   • 

   • 

9. Under the Asset Lookups tab click New → New Configuration

   • 

10. Specify the following required fields: Source, Name, Category, asset_type, site_id, and asset_system. You can leave the other field with their default values (note: if you cannot find your lookup definition you might need to validate permissions for the lookup definition is set to global)

11. Validate that the file is working correctly by going to the Search Preview tab and click on asset_lookup_by_str → Open in search to validate assets are showing up. If your assets do not show up, look at the troubleshooting section of this document.

    • 

OT Asset Data Model¶

The following is a description of the OT Asset Data Model used in the OT Security Add-on

OT Software Asset Data Model¶

The following is a description of the OT Software Asset Data Model used in the OT Security Add-on