Asset Enrichment
The following article exclusively pertains to a Security Data Lake Security feature or functionality. Security Data Lake Security is a part of the Security Data Lake centralized log management platform and requires a separate license. Contact the Security Data Lake Sales team for more information on this product.
Security Data Lake Security enables you to view different types of assets across your environment and enrich logs with asset data. Assets can be associated with specific incoming log messages that match fields in the asset database, providing detailed asset information.
Asset enrichment is achieved through activating the Illuminate:Assets processing pack or implementing a series of pipeline rules. Consequently, these linked assets become searchable and can be utilized in generating alerts. See Create Pipeline Rules with Assets for details about the fields that are used to associate assets with messages.
For more information on how assets can be used in searches, see Enhance Search with Asset Enrichment.
Get Assets Into Security Data Lake
There are two types of assets in Security Data Lake: machine assets and user assets. Machine assets include different types of machines located across your network, such as servers, personal computers, and firewalls. User assets can be system and human user accounts across your environment.
Both asset types can be imported and synced at an interval to make sure that any updates in the external source are reflected in Security Data Lake. See Schedule an Asset Source Sync for more details.
There are two ways to get assets into Security Data Lake. You can:
You can import assets from an external source, such as LDAP, Active Directory, or Microsoft 365. Alternatively, you can manually create assets through the Security Data Lake user interface. See Import and Configure Assets for more information.
View the Asset Drawer
You can access an asset drawer for each asset listed under Assets in the Security Data Lake Security user interface. The asset drawer provides details about an asset. It also provides an overview of any related security events and reported vulnerabilities. You can use this drawer to monitor your asset's standing, including the risk level and any related security events. Click on any asset to reveal its asset drawer.
The following information is displayed in an asset drawer:
Asset details: Asset-related details such as the asset risk score, machine or user details, geographical information, and any custom fields.
Asset risk scores: These scores are a useful indication of the risk associated with an asset. They are primarily based on the event risk score and any vulnerabilities. They can be used to triage security events. For more information, see Risk Scores.
Security events: You can gain access to details related to the event as well as a replay of the search.
Vulnerabilities: The number of associated vulnerabilities imported from an associated vulnerability scanner are displayed in the drawer. Vulnerability scores are available for machine assets only. For more information on vulnerabilities and how to enable vulnerability scanning reports, see Vulnerability Scanning.
View the Asset Drilldown Dashboard
You can access a pre-built dashboard for each asset that shows log sources and other details about the asset. The asset drilldown dashboard allows you to easily explore live data related to specific assets.
To access the dashboard, you have two options:
From the Assets page (General or Security perspective), click the More menu (ellipsis) in the table for any asset, then select Asset Dashboard.
From an asset drawer, click the Show Asset Dashboard icon beside the asset name.
Note
You can also access the Asset Dashboard from the General perspective by navigating to Security > Activity > Asset Drilldown. With this method, the asset ID parameter is not auto-populated. This method is useful if you have an asset ID copied from an event or log message, which you can then paste into the dashboard to view the information.
The dashboard includes the following widgets:
Message Count
Top 15 Sources by Event Count
Top 15 Source Products by Event Count
Top 15 Source Products by Event Count Over Time
Asset Related Messages (message table)
You can replay searches and export data. You can also adjust the date/time range and apply filters to the displayed data, as with all dashboards. Because this is a pre-built dashboard, you cannot edit the widgets. However, you can select Save as at the top right to create a duplicate of the dashboard where you can edit and adjust settings for the widgets. The asset must have associated logs before the dashboard contains any useful information.
Import and Configure Assets
The following article exclusively pertains to a Security Data Lake Security feature or functionality. Security Data Lake Security is a part of the Security Data Lake centralized log management platform and requires a separate license. Contact the Security Data Lake Sales team for more information on this product.
Before assets can be used to enrich your log data, you must first import and configure assets in Security Data Lake. Assets can be any of a variety of machine or user entities in your environment, as defined in Asset Enrichment.
In this article we walk you through how to configure the connection between Security Data Lake and an external asset source and how to import assets into Security Data Lake.
Import Assets
The basic steps to import an asset are as follows:
Create or configure an asset source, which requires two parts:
Create a connection to the asset (server configuration).
Create an asset import mapping.
These steps are described in detail below.
Create or Configure an Asset Source
You need to create a new asset source or configure an existing source before you can import assets. If you use an existing source, you can edit it by clicking the ellipsis on the source, then selecting Edit from the dropdown.
To create a new asset source:
In the Security layout, navigate to Assets, then select the Sources tab.
Click New Source.
Select the source type from the dropdown. Supported source types are LDAP, Active Directory, and Microsoft 365.
Configuration options are different based on the source type. Configuration for LDAP and Active Directory follow the same options, while Microsoft 365 configuration is a different set of options. Skip to the section below for the type of source you are configuring.
Configure LDAP and Active Directory Sources
Server configuration information is the same for both LDAP and Active directory. You need to provide credentials from your Microsoft account. Check Microsoft documentation for details. Follow these steps under Connection Configuration:
Enter the following information.
Title
Enter a unique name for the source connection.
Server Address
Enter the server address to connect to the source. IPv4 and IPv6 are supported. You can enter this value as an IP address or a fully qualified domain name (FQDN).
Port
Enter the port number for the server.
Transport Security
Select security options for communication between Security Data Lake and the asset source.
Choose an encryption method:
None: No encryption is used.
TLS: Communication is secured by TLS.
StartTLS: Uses a secure connection if available but allows for an insecure connection.
Verify Certificates: If you select either TLS or Start TLS, this option controls whether to verify the certificates used with a Certificate Authority.
System User DN
Enter the username for initial connectionto the server, for example:
cn=admin,dc=example,dc=com. This value might be optional depending on your server configuration.System Password
Enter the password for the initial connection to the server.
Description (optional)
Add a meaningful description.
Click Test Server Connection to validate the connection with the entered credentials. Resolve any errors before proceeding.
Warning
Asset import can fail even if the initial connection test succeeds. This failure could happen if the system user is incorrectly configured or if the user lacks the required permissions.
Click Save Connection to save the asset connection configurations.
You can now proceed to configure asset mappings for this source.
Configure Microsoft 365 Sources
Configuration parameters for Microsoft 365 differ from those required for LDAP and Active Directory sources. However, Microsoft 356 connections also offer additional benefits:
A Microsoft 365 source allows vulnerabilities to be imported along with assets if the Include Vulnerabilities check box is enabled on the Mapping Configuration page. See Vulnerability Scanning for more information.
You can choose to add Entra ID filters for user assets, and Entra ID, Intune, or Defender filters to target specific Microsoft machines when importing.
You are required to enter credentials on the Connection Configuration page that identify the tenant and client application. These credentials can be found in your Microsoft 365 client application. Refer to Microsoft 365 Setup for details on how to establish a connection between the Microsoft 365 API and the Security Data Lake server.
Follow these steps under Connection Configuration:
Enter the following information.
Title
Enter a unique name for the source connection.
Directory (tenant) ID
Enter the Globaly Unique Identifier (GUID) of the tenant to which the content belongs.
Client ID
Enter the GUID of your application that created the subscription.
Client Secret
Enter a secret string that the application uses to prove its identity when requesting a token
Subscription Type
Select your organization's Microsoft 365 subscription plan from the dropdown.
Description (optional)
Add a meaningful description.
Click Test Server Connection to validate the connection with the entered credentials. Resolve any errors before proceeding.
Warning
Asset import can fail even if the initial connection test succeeds. This failure could happen if the system user is incorrectly configured or if the user lacks the required permissions.
Click Save Connection to save the asset connection configurations.
You can now proceed to configure asset mappings for this source.
Create an Asset Import Mapping
After setting up the asset connection, you can create multiple queries to import specific subsets of data. For example, you can import "just the admin users" or "just the laptops." This filtering is achieved by defining one or more import mapping configurations that determine which assets are imported from the parent source and how entries in the source map to imported assets in the Security Data Lake asset schema.
After an asset connection is established, you have access to all existing mapping configurations. You can then continue with the configuration wizard to define mapping configurations.
A mapping configuration allows you to define the specific assets that you want to import from a source. It also gives you the option to determine what default values are applied.
For example, you can have an LDAP server with two different mappings. One mapping is configured to select only admin users and has an admin category as well as a high priority category. When you import admin users via this mapping, all of the assets have the same priority and category.
You can set up another mapping that selects general users and uses a medium or low priority. You can set up a high priority mapping for accounting machines and a low priority mapping for user laptops. Configuration parameters can be applied to machine assets and user assets.
You can also configure an asset source sync interval on the mapping configuration page.
Warning
If you have a Microsoft 365 source, you can choose to add Entra ID, Intune, and Defender filters to target specific Microsoft machines.
Mappings can also be edited or deleted on the Sources page by selecting an asset source to reveal carousel cards that represent each mapping.
Mapping Configuration Parameters
Enter the following general information for asset mappings on the Mappings Configuration form:
Asset Type | Select either machine asset or user asset for the source type of the mapping you are creating. |
Mapping Title | Enter a unique title for this configuration. |
Search Base DN | (AD/LDAP assets only) Enter the base tree to limit the search for which entries to query from the asset source. This entry is written in the form: |
Search Pattern | (AD/LDAP assets only) Enter the search pattern that determines which entries to import from the asset source. |
Categories | (optional) Assign a category by selecting from the dropdown. You can create or update the category list on the Config tab. |
Priority | (optional) Select a priority level from the dropdown. This value affects the risk score of the asset. You can update the category list on the Config tab. |
Description | (optional) Enter a detailed description of the mapping configuration. |
Enable Sync | Slide this toggle to enable or disable automatic synchronization of assets. To learn about using this feature, see Schedule an Asset Source Sync. |
Sync Interval in Hours | Set the interval between syncs if you enable automatic synchronization. |
The additional information required depends on the asset source type and whether it is a user asset or machine asset. Skip to the section below for the type of asset you are configuring.
Active Directory and LDAP User Asset Mapping
In the User Asset Mapping section, you define what source entry attribute field should map to each Security Data Lake user asset field. Include the following information:
User ID Attribute | Enter the name of the asset source attribute field that maps to the created Security Data Lake asset, for example
When assets are imported, if a source entry has, for example, |
Username Attribute | Enter the logon username for the account:
This value cannot be modified after the first import. |
User First Name Attribute | Enter the first or given name for users, if available. This value is typically the |
User Last Name Attribute | Enter the last name or surname for users, if available. This value is typically the |
User Full Name Attribute | Enter the full display name of the user, generally stored in the NoteIf either User First Name Attribute or User Full Name Attributeinclude values, those values take precedence over this one. |
Email Attributes | Enter email attributes for users:
Note that you can include multiple attributes in this field by pressing Enter or Tab. |
Active Directory and LDAP Machine Asset Mapping
In the Machine Asset Mapping section, you define what source entry attribute field should map to each Security Data Lake machine asset field. Include the following information:
Asset Name | Enter a unique identifier for the machine. |
Host Name Attributes | Enter the name of a computer or machine object. This value is typically stored in Note that you can include multiple values in this field by pressing Enter or Tab. |
IP Address Attributes | Enter the IP address for the machine. Note that you can include multiple values in this field by pressing Enter or Tab. |
MAC Address Attributes | Enter the MAC address for the machine. Note that you can include multiple values in this field by pressing Enter or Tab. |
Owner | (Optional) Enter the attribute that maps to the asset owner: For Active Directory, this value is typically For LDAP, this value is typically |
Microsoft 365 User and Machine Mapping
In the mapping section for Microsoft 365, you define filters to apply to the imported source:
For user assets, you can apply only Entra ID filters.
For machine assets, you can apply Entra ID, Intune, and Defender filters.
For each category, you enter the filter as a search query that limits the data returned. If you want to return all data, enter the wildcard character (*). See the Microsoft documentation for how to construct filter queries.
Test Your Mapping Configuration
After you enter the values, you can test the mapping configuration by clicking the Test Mapping button. A test import is run and you receive a sample of what imported assets will look like. You can make changes and re-test before you save the configuration and initiate an actual import.
If there is an error, you are presented with a warning box that states the problem. In this case, you need to troubleshoot and reconfigure the connection before you can import assets.
Initiate the Import
When both connection and mapping configurations are saved, you can initiate an asset import. Click the Actions button, then select Import from the dropdown. This action pulls the targeted entries from the asset source, maps them based on the mapping configuration, and creates assets in Security Data Lake that can be viewed from the Assets page.
Note
For LDAP and Active Directory assets, Security Data Lake uses internal paging for imports. These sources are often limited to imports of 1000 assets at a time. By default, the page size in Security Data Lake is set to 500, which should avoid issues in most environments. However, if you need to adjust page size, you can set the ad_ldap_page_size property in your server.conf file to a value that works for your system.
Click a source on the Sources page to view or edit its configuration.
When you import or sync an asset, it's name remains the same as in the source. Any subsequent imports or syncs match existing assets by name and update all of the details from the backend. This way, the asset remains constant and searching is unaffected.
Note
Assets that are imported through a mapping are deleted if the corresponding asset in the source is deleted.
Schedule an Asset Source Sync
The asset source sync functionality performs the same actions as asset import. An update in the source is automatically reflected in Security Data Lake via the asset sync. This can be either an update in the source or removal of an asset or assets. All changes made in the source are reflected in Security Data Lake.
You can schedule the import of assets by defining an interval. Asset source sync is available for all mappings listed under a source. Select a source to view the available mappings.
To enable asset source sync:
Navigate to Assets > Sources.
Locate the asset.
Click Edit found at the end of the corresponding row.
Click the Mappings configuration tab.
Scroll down and toggle to the Enable Sync option.
Click Save & Complete.
The default sync interval is in hours and can be modified.
Roles and Permissions
Security Data Lake includes two roles specific to managing or working with assets:
Asset Manager: Grants read/write access to all assets. This role is required to create asset sources, import assets, and all other management functions for assets. Note that this role's permissions are included for allAdminusers but you can assign the role to any non-Adminusers you want to have elevated permissions for assets.Asset Reader: Grants read-only access to assets. This role is sufficient for users who do not need to manage assets.
The following permissions are included in the above roles and are required for the management of asset sources and mappings as follows:
asset:read: Viewing and listing asset sources and asset source mappings.asset:edit: Creating, editing, and deleting sources.asset:create: Creating, editing, and deleting source mappings.asset:manage_vulnerability_scanners: Creating, editing, and deleting vulnerability scanners.
The Asset Reader role includes only the asset: read permission, while Asset Manager includes all of these permissions.
Create a New Asset
You can create a new asset through the Security Data Lake Security user interface manually. To do so:
Select Assets from the top-level menu.
Toggle to the desired asset type (user/machine) in the tab header.
Click the New Asset button.
Create a New Machine Asset
To create machine assets, navigate to Assets > Machines then click the New Asset button. Follow the configuration wizard to configure a new machine asset. At a minimum, machine assets must have a name and at least one IP address, hostname, or MAC address.
Configuration Parameters
General Info
Asset Name: The unique display name for the asset. This name must be unique across all asset types.
Owner: Person or group who owns this machine.
IP Addresses: IP addresses associated with the asset. Both IPv4 and IPv6 are supported.
Hostnames: Hostnames associated with the asset.
MAC Addresses: MAC addresses of the asset.
Categories: Tags for the asset. A list of categories can be configured in the Assets > Config menu.
Priority: Asset priority. A list of priorities can be configured in the Assets > Config menu.
Description: Provide a description of the asset.
Location
This section includes fields related to the physical location of the asset. These fields are optional.
Custom Fields
The custom fields section can be used to track any other necessary information about a machine asset as it allows for the inclusion of additional information required for machine assets beyond what is provided in the user interface. Each custom field has a name, type (string, date, or number), and a set of values.
Note
Tracking historical changes made to an asset over time can be performed in audit logs by searching for the asset ID. Changes can also be tracked using the Custom Fields section. For example, if a machine asset is passed from one owner to the next, a list of previous owners can be tracked in a custom string field. You can create a custom field under Custom Fieldswhen creating or editing an asset.
Create a New User Asset
To create user assets, navigate to Assets > Users then click the New Asset button. Follow the configuration wizard to configure a new user asset. At a minimum, user assets need to have an asset name and at least one username.
Configuration Parameters
Asset Name: The unique display name for the asset. This name must be unique across all asset types.
Category: Tags for the asset. A list of categories can be configured in the Assets > Config menu.
Priority: Asset priority. A list of priorities can be configured in the Assets > Config menu.
Usernames: Usernames associated to the user.
User IDs: Unique identifiers for the user other than username: for example, a Windows SID or UUID.
Email Addresses: Any email addresses associated with the user.
First Name: User's first name.
Last Name: User's last name.
Manage Asset Configurations
The Config menu found on the Assets page gives you the ability to manage asset priorities and categories. Each asset can be assigned a priority and multiple categories.
Manage Asset Priority
Priorities are used to classify the importance of machine and user assets. For example, a user asset with a basic account would likely have a lower priority than that of an admin user account with more privileged access to the network. There is a default list of priorities including Low, Medium, High, and Critical, which can be customized in the tab.
Note
The asset priority that is set here directly affects the asset risk score. If it is set low, the asset risk score will also be low.
Manage Asset Category
Categories are used as tags to group and sort assets. There are no default categories. You can add a category in two places:
Config tab: Edit or create a new category in the Config tab.
New asset configuration modal: Directly type in a new category in the Categories field when creating or editing an asset.
When a category is created through either method, it becomes available in the Category dropdown to be assigned to future assets. To assign a category to multiple assets:
Select your assets on the Assets page.
Click the Bulk Actions button.
Click Add Category.
Select the desired category.
Click Confirm.
Microsoft 365 Asset Source Sync
In order to utilize Microsoft 365 as an asset source, a connection between the Microsoft 365 API and the Security Data Lake server is required. You are asked to enter the following when creating a new Microsoft 365 asset source on the Connection Configuration page in the Security Data Lake user interface:
Tenant ID
Client ID
Client Secret
If you do not have an active Microsoft 365 client application, you will need to register one and provide the credentials listed above. You can learn more about registering an application in the Microsoft identity platform by visiting the related Microsoft website. Keep reading to learn about the required API permissions to enable the connection between Microsoft 365 and Security Data Lake.
Prerequisites
You need to be able to access Microsoft products and the Microsoft 365 API to fully utilize the asset source sync and vulnerability import functionality. There are four Microsoft subscriptions that are required:
1. Entra ID
Required for: user asset import
Optional for: machine asset import
Not used for: vulnerability import
2. Intune
Optional for: machine or user asset import
Not used for: vulnerability import
3. Defender
Required for: vulnerability import
Optional for: machine asset import
Not used for: user asset import
4. Defender Vulnerability Management Add-on
Required for: vulnerability import
Optional for: machine asset import
Not used for: user asset import
API Permissions
Once you have fulfilled the above prerequisites, an application with API access and the correct permissions must be created to connect a Security Data Lake instance and pull assets and vulnerabilities from Microsoft 365. The required permissions for all supported functionality to work are:
Microsoft Graph
Device.Read.All
DeviceManagementConfiguration.Read.All
DeviceManagementManagedDevices.Read.All
User.Read.All
User.ReadBasic.All
WindowsDefenderATP
Machine.Read.All
Vulnerability.Read.All
Configure the Required API Permissions
Log into Microsoft Azure.
Select Entra ID.
Select App registration > New registration.
Register a new application.
Provide a name for the application (for example, Security Data Lake Log Access).
Select the appropriate account type.
Do not add a redirect URI.
Click the Register button.
Note
Once the application is registered, take note of Application (client) ID and Directory (tenant) ID.
Click Add a certificate or secret.
Click New client secret.
Take note of the Client Secret value. Once you navigate away from this page, the value will no longer be visible. If you lose it, delete the old one and/or create a new one. You will need to update any Security Data Lake inputs using the old secret if you delete it.
For the newly created application, navigate to API permissions.
Click on Add a permission.
Select Microsoft Graph.
Select Application Permissions.
Select relevant permissions (e.g. select necessary user read permissions).
Navigate to the Microsoft Entra admin center and log in with the account created above.
Navigate to Applications > Enterprise Applications > All applications.
Select the name of the application(s) selected in the previous steps.
Click Permissions > Grant admin consent for MSFT.
You will then be asked to re-authenticate your account and grant the permissions that you requested.
Click Accept.
You should now see the new permissions in the list and access the API accordingly.
Note
It can take a while for the permissions to propagate between steps, so you may need to wait or try refreshing.
Create Pipeline Rules with Assets
A set of pipeline rules can be used to set the associated assets field on a message, update existing assets, and retrieve asset information to further enrich messages. Asset-related pipeline functions allow you to do more with assets via processing pipelines.
set_associated_assets
This pipeline rule populates the associated_assets and associated_asset_categories fields on the message using GIM schema fields. The associated assets field will be an array with the ID of each asset that matches a field on the message to an asset field of the same type. The associated_assets field will determine which assets are displayed on the expanded log message on the search page. The associated_asset_categories field will be an array that includes all associated asset categories.
Machine Asset Message Fields
The following fields are used to associate machine assets:
IP Address Message Fields | MAC Address Message Fields | Hostname Message Fields |
|---|---|---|
|
|
|
|
|
|
|
| |
| ||
| ||
| ||
| ||
| ||
| ||
| ||
|
User Asset Message Fields
The following fields are used to associate user assets:
Username Message Fields | User ID Message Fields | Email Message Fields |
|---|---|---|
|
|
|
|
|
|
|
Warning
This function uses an in-memory cache to limit the amount of DB calls required to associate an asset with a message.
machine_asset_lookup
This pipeline rule takes a lookup_type and value parameter. lookup_type can be either name, ip, mac, or hostname. The value field is the value used to look up the specified type. The rule assumes that the lookup will be unique, so if multiple assets happen to match the lookup, only one will be returned. If the lookup has a match, it will return a map with the following structure:
{
"id": "string"
"name": "string",
"priority": number,
"category": ["string", "array"],
"details": {
"type": "machine",
"description": "string",
"owner": "string",
"ip_addresses": ["string", "array"],
"mac_addresses": ["string", "array"],
"hostnames": ["string", "array"],
"custom_fields": Map
}
}The custom_fields map structure will depend on the custom fields defined for a given asset. Each entry will have a string key and an array of values that are either strings, dates, or numbers.
These fields can then be used to enrich the message in a more targeted way than the set_associated_assets rule. For example, to look up an asset by the source_ip field and then set fields on the message based on the asset returned would look similar to:
rule "machine_asset_lookup"
when
has_field("source_ip")
then
let asset = machine_asset_lookup(lookup_type:"ip", value:to_string($message.source_ip));
let details = asset.details;
set_field("asset_id", asset.id);
set_field("asset_name", asset.name);
set_field("asset_description", details.description);
set_field("asset_ips", details.ip_addresses);
set_field("asset_macs", details.mac_addresses);
set_field("asset_hostnames", details.hostnames);
endmachine_asset_update
This rule will update IP addresses and hostnames of existing machine assets. The parameters are:
lookup_type: Either name, ip, mac, or hostname.lookup_value: The value for thelookup_type.ip_addresses: String or array of IP addresses to update the asset with [optional].hostnames: String or array of hostnames to update the asset with [optional].
rule "machine_asset_update"
when
true
then
machine_asset_update(lookup_type:"mac", lookup_value:"AA:BB", ip_addresses:"10.0.0.0");
endUsing this rule on DHCP logs, for example, can keep existing assets up to date based on incoming logs.
rule "machine_asset_update"
when
true
then
machine_asset_update(lookup_type:"mac", lookup_value:$message.mac, ip_addresses:to_string($message.new_ip));
enduser_asset_lookup
This pipeline rule is used to look up a user asset and enrich log messages with user asset data. The rule takes a lookup_type and value parameter. lookup_type can be either name, username, user_id, or email. The value field is the value to be used in looking up the specified type. The rule assumes that the lookup will be unique, so if multiple assets happen to match the lookup, only one will be returned. If the lookup has a match, it will return a map with the following structure:
{
"id": "string"
"name": "string",
"priority": number,
"category": ["string", "array"],
"details": {
"type": "user",
"description": "string",
"username": "string",
"user_ids": ["string", "array"],
"email_addresses": ["string", "array"],
"first_name": "string",
"last_name": "string"
}
}These fields can then be used to enrich the message in a more targeted way than the set_associated_assets rule. For example, looking up an asset by the username field and then set fields on the message based on the asset returned would look similar to:
rule "user_asset_lookup"
when
has_field(“username”)
then
let asset = user_asset_lookup(lookup_type:"username", value:"username");
let details = asset.details;
set_field("asset_id", asset.id);
set_field("asset_name", asset.name);
set_field("asset_type", details.type);
set_field("asset_username", details.username);
set_field("asset_user_ids", details.user_ids);
set_field("asset_emails", details.email_addresses);
endEnhance Search with Asset Enrichment
Associate Assets in Search Results
When the Illuminate pack is activated, Security Data Lake automatically runs the set_associated_assets pipeline rule for all messages.
However, you have the option to specifically apply the set_associated_assets pipeline rule for a subset of logs. In this case, you would not enable the Illuminate assets processing pack but rather would implement the set_associated_assets pipeline function by putting the set_associated_assets in a pipeline rule, adding it to a pipeline, setting filters, and assigning it to selected streams.
This functionality is customizable to the extent that you can either apply it to all logs by enabling the Illuminate processing pack or to a subset of logs by manually configuring and applying the rule. Refer to our documentation on pipelines for more information on creating pipeline rules.
Once a message has been enriched with the associated_assets fields, those fields can be displayed in the expanded log view of an individual message. The details of each associated asset can then be expanded as well.
In addition to viewing the asset in search results, you also have the capability to add an asset to the search query and to pivot into any log message associated with that asset.
Note
See the related Security Data Lake articleon upgrading to the newest Illuminate version.
Pivot to an Asset Search
This capability allows you to view an asset in search results and transition to exploring additional logs related to that specific asset for further investigation. For instance, if a log message identifies a finance department's computer as an asset, you can pivot and access all logs associated with that machine, allowing for a deeper delve into its activities.
To pivot to an asset search, click the Add to query button for a particular asset to view all log messages for that asset. Note that the asset ID is then added to the search query for the associated_assets field.
Search for Assets
On the Assets page, you can search for assets. This functionality allows you to create a search query based on asset information. You can search for assets individually or in bulk.
To search for an individual asset, click the ellipsis for the selected asset and choose the Search for asset option.
To perform bulk searches, choose the assets you want to search, then click on the Bulk Actions button and search for the selected assets.
Asset Management Use Cases
Scenario 1: Searching for Users/Machines
Let's say a user has two different user accounts (bill.murray and bmurray) as well as two different emails ([email protected] and [email protected]). If you want to search across all logs for that user:
Navigate to the Security/Assets menu header and click the User Assets tab. Then select the ellipsis next to the selected user asset.
Select Search for Asset from the menu options.
You will receive results for any message that contains any of the various user names or email addresses.
This same scenario applies to machine assets with multiple IP addresses, hostnames, etc.
Scenario 2: Searching for Additional Logs about a Machine after Spotting Suspicious Activity
While sifting through logs in Security Data Lake, you see an unusual message and want to see other logs from that specific machine or user. As an example, in the screenshot below, you see failed logins heading to a particular machine and want to see other messages from that machine. To do this, you could select the asset on the left and then Add to Query:
This will add the asset to the query, so now we are looking at logins just for that asset.
Vulnerability Scanning
Security Data Lake enables you to connect to third-party vulnerability scanners so that you can add vulnerability data to your machine assets. This data is used to further enhance your risk scores for any related assets or events.
Vulnerability data typically includes information such as the severity of the detected issue, what systems are or potentially could be affected, and remediation steps. In most cases, vulnerability scan data is based on industry standard sources, particularly the Common Vulnerabilities and Exposures (CVE), which is a list of publicly disclosed vulnerabilities.
Vulnerability scanning is part of asset enrichment in Security Data Lake. In the Security interface, you can access the Vulnerability Scanners tab on the Assets page. See Manage Scanners for more information.
Note
Vulnerability scan data in Security Data Lake enriches your machine assets. You need to have machine assets in your environment for this information to be relevant. Vulnerability scan data does not apply to user assets.
Prerequisites
The "Illuminate 5.2.0:Assets" content pack is recommended.
A configured and running vulnerability scanner connected to Security Data Lake.
Security Data Lake Integrations with Vulnerability Scanning
Vulnerability scan data applied to machine assets helps provide a more complete view of potential threats in your environment. Vulnerability data can be useful in the following areas:
Asset enrichment: Vulnerability scanning data provides asset enrichment so that you have more information attached to your machine assets, including relevant security vulnerabilities. See Asset Enrichment for more information.
Illuminate: The "Illuminate 5.2.0:Assets" content pack, although optional, is highly recommended. This content pack associates your assets with incoming logs related to those assets. This content pack is required for risk scores and security event integrations, described below.
Risk scores: Machine assets can have their own asset risk scores. When an event is triggered that has an associated machine asset, that asset is assigned an asset risk score independent of the event, and vulnerability scan data is a factor in that risk score. See Asset Risk Scores for more information.
Security events: Events with machine assets factor in vulnerability scan data for the overall asset risk score calculated for the event. Therefore, you can better prioritize these events, giving attention to those with the highest risk scores. See Security Events for more information.
For examples of this integration, see the documentation on risk scoring use cases.
Set Up Vulnerability Scanning
Before you can include vulnerability scan data in Security Data Lake, you must have your own third-party scanner set up and connected to Security Data Lake. Security Data Lake does not perform scans but instead imports scan data from your configured scanner or scanners.
You can use the following types of vulnerability scanners with Security Data Lake:
You can add multiple scanners for each type so that you can have scan data focused on different areas of your network or types of scans. See the setup information for each scanner type for complete details.
Note
Before you can add a scanner in Security Data Lake, you must have a fully configured and operational scanner running. Consult the scanner vendor’s documentation for setup information: Defender documentation and Nessus documentation.
Manage Scanners
The Vulnerability Scanners tab on the Assets page lists all the vulnerability scanners you have defined for your environment. Click a scanner to view its detail page that displays the scanner's settings and connection information.
From the detail screen, click Import Scans to perform a manual import of new scan data for the selected scanner. To update scanner settings, click Edit Connection.
If you select the check boxes for one or more scanners, the Bulk Actions menu becomes available with the following actions:
Import: Performs a manual import of new scan data for all selected scanners.
Delete: Removes all selected scanners from the list.
Defender Scanners in Security Data Lake
Microsoft Defender Vulnerability Management is part of the Microsoft security platform you can integrate with Security Data Lake to provide up-to-date asset vulnerability information. Defender Vulnerability Management performs device assessments, including configuration review to uncover vulnerabilities, which can be tailored to your business context.
You can connect Security Data Lake to your existing Defender Vulnerability Management service. Security Data Lake imports scan data from Defender and attaches any vulnerabilities to your related machine assets.
You need your Microsoft client application information for your Defender instance to create a connection in Security Data Lake, specifically your tenant ID, client ID, and the client secret to authorize the connection. See the Microsoft Defender Vulnerability Management documentation for more information.
Note
If you add a Microsoft 365 source on the Sourcestab of the Assetspage, you can select the Include Vulnerabilitiesoption to create a Defender vulnerability scanner automatically. This option saves you time and effort because the same connection information is required for both the source and the vulnerability scanner.
Add a Defender Scanner
To add a Defender scanner:
On the Assets page of the Security interface, select the Vulnerability Scanners tab.
Click Add Scanner, then choose Defender from the menu.
Fill in the connection details and other information for the scanner:
Title: Give the scanner a unique, meaningful name.
Description (optional): Provide detail about the purpose of this scanner. Although this field is optional, consider adding information here, particularly if you create multiple Defender scanners.
Enabled/Disabled Sync (optional): Toggle this setting to Enabled to automatically import scan data on a specified interval.
Sync Interval in Hours (optional): If you enable sync, this setting becomes available so you can determine how frequently to run a new import of scan data to update vulnerability information on your Security Data Lake assets. The default setting is 24 hours (once per day).
Note
The next three fields require information that you need to provide from your Microsoft Defender App registration environment. See the Microsoft Defender Vulnerability Management documentation for complete information.
Directory (tenant) ID: Enter this value from your Microsoft App registration.
Client ID: Enter this value from your Microsoft App registration.
Client Secret: Enter the client secret, which is used to prove identity when requesting a token.
Subscription Type: Select your subscription type from the drop-down menu: Global Service (this is the standard plan for most users), US Government, or US DOD.
Filter: By default, the scan import pulls all data from this scanner. Enter a filter to limit what data this scanner imports. Note that Defender filters must be entered as OData queries. View the Microsoft documentation for information on creating filters.
After you provide the connection information, Security Data Lake tests the connection. The result of the test displays at the bottom of the dialog.
Click Add Scanner to add the scanner.
New scanners are added to the list on the Vulnerability Scanners tab of the Assets page.
Import Vulnerability Scans
You have two methods for importing new vulnerability scan data: automatic sync and manual import. With either method, new imports completely replace previous information so all existing vulnerabilities are updated, as appropriate, and any new information is added.
Import Sync
You enable the automatic sync option with the Enabled Sync setting when you define the scanner. You can also use the toggle on the table view under Enable Periodical Imports.
When the sync option is enabled, new vulnerability data is imported according to the sync interval you set.
Manual Import
To manually import scan data:
Click a scanner to view its detail page.
Click Import Vulnerabilities.
Click Import on the dialog box to confirm.
Nessus Vulnerability Scanners in Security Data Lake
Tenable Nessus is a security scanner that can identify vulnerabilities in devices, applications, operating systems, and other network or cloud resources. Nessus uses a combination of algorithms to assess threats then assigns a vulnerability risk score based on the Common Vulnerability Scoring System (CVSS).
You can connect Security Data Lake to your existing Nessus scanner. Security Data Lake imports scan data from Nessus and attaches any vulnerabilities to your related machine assets.
Note
To configure a connection between Security Data Lake and Nessus, you need to ensure you have established a trusted relationship. Be certain you understand the certificate requirements. See Certificates and Certificate Authorities in the Nessus documentation for details.
You can create a Nessus scanner in Security Data Lake with either a paid or free version of Nessus. When you add a scanner following the directions below, you need the API URL for your Nessus instance as well as your access key and secret key to create a connection in Security Data Lake. See the Tenable Nessus documentation for information about creating your API keys.
Add a Nessus Scanner
To add a Nessus scanner:
On the Assets page in the Security user interface, select the Vulnerability Scanners tab.
Click Add Scanner, then choose Nessus from the menu.
Fill in the connection details and other information for the scanner:
Title: Give the scanner a unique, meaningful name.
Description (optional): Provide detail about the purpose of this scanner. Although this field is optional, consider adding information here, particularly if you create multiple Nessus scanners.
Enabled/Disabled Sync (optional): Toggle this setting to Enabled to automatically import scan data on a specified interval.
Sync Interval in Hours (optional): If you enable sync, you can set how frequently to run a new import of scan data to update vulnerability information on your Security Data Lake assets. The default setting is 24 hours (once per day).
Note
The fields below require information from your Nessus environment. See the Nessus documentationfor complete information.
API URL: Enter the URL to connect to your Nessus instance.
Access Key: Enter the access key to authenticate with the Nessus API.
Secret Key: Enter the secret key to authenticate with the Nessus API.
After you provide the connection information, Security Data Lake tests the connection. The result of the test displays at the bottom of the dialog. When you connect successfully, the Folders field becomes available.
(Optional) Use the Folders field if you want to limit or filter the data for this scanner instance. Folders available here are based on any folder structure you have created in your Nessus environment.
Click Add Scanner to add the scanner.
New scanners are added to the list on the Vulnerability Scanners tab of the Assets page.
Import Vulnerability Scans
You have two methods for importing new vulnerability scan data: automatic sync and manual import. With either method, new imports completely replace previous information so all existing vulnerabilities are updated, as appropriate, and any new information is added.
Import Sync
You enable the automatic sync option with the Enabled Sync setting when you define the scanner. You can also use the toggle on the table view under Enable Periodical Imports.
When the sync option is enabled, new vulnerability data is imported according to the sync interval you set.
Manual Import
To manually import scan data:
Click a scanner to view its detail page.
Click Import Vulnerabilities.
Click Import on the dialog box to confirm.