forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcount_of_assets_by_category.yml
32 lines (32 loc) · 1.11 KB
/
count_of_assets_by_category.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
name: Count of assets by category
id: dcfd6b40-42f9-469d-a433-2e53f7489ff9
version: 1
date: '2017-09-13'
author: Bhavin Patel, Splunk
type: Baseline
datamodel: []
description: This search shows you every asset category you have and the assets that
belong to those categories.
search: '| from datamodel Identity_Management.All_Assets | stats count values(nt_host)
by category | sort -count'
how_to_implement: To successfully implement this search you must first leverage the
Assets and Identity framework in Enterprise Security to populate your assets_by_str.csv
file which should then be mapped to the Identity_Management data model. The Identity_Management
data model will contain a list of known authorized company assets. Ensure that all
inventoried systems are constantly vetted and updated.
known_false_positives: none
references: []
tags:
analytic_story:
- Asset Tracking
detections:
- Detect Unauthorized Assets by MAC address
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Identity_Management.All_Assets
- category
security_domain: endpoint