If you are using OT-BASE with Splunk Enterprise Security (ES), you need to incorporate a lookup table into ES for automatic data enrichment, and in order to see OT-BASE devices in ES Asset Center.
OT-BASE automatically creates the lookup table via the saved search called "ES Device Lookup". The lookup table is named "otbase_assets.csv". The saved search executes once per week by default, but you can change that and may particularly want to create a lookup table right after installation. This can be done by changing the schedule, or by simply appending
| outputlookup otbase_assets.csv
and run the saved search.
Thereafter, define a lookup definition in Settings/Lookups and link it to the .csv file. Make sure that your lookup definition is readable for everyone.
In Enterprise Security, go to Configure/Data Enrichment and select "Assets and Identities". Then click on "New" and enter the data for your new lookup definition.
After having saved the lookup definition, you should be able to see your assets that were imported from OT-BASE Asset Center in ES Asset Center.
Note that the saved search assigns "high" priority to OT devices by default. For devices that have any criticality assignment, the priority is elevated to "critical".
Once that the asset lookup table is set up properly, you will also see automatic data enrichment in searches.
Please sign in to leave a comment.