Feeds - Tags enrichments management

Introduction to tags enrichments

TrackMe allows to perform tags enrichments in different ways depending on the components.

Tags can be used within the user interface to provide more context to the analysts, or for additional purposes such as providing context as parts of alert results.

Tags enrichments for splk-dsm (Data Sources)

TrackMe version 2.0.84

  • These instructions require TrackMe version 2.0.84 and later

For Data Sources, TrackMe allows defining per entity tags manually, and/or in a more effiscient manner using tag policies.

Accessing, defining and managing tags policies

You can access tags policies from the main TrackMe’s tenant screen via the button Manage: tags policies:

dsm_tag_policies1.png dsm_tag_policies2.png

About Tags policies:

  • Regex based: Tags polciies are regular expressions which define a number of tags for matching entities

  • Tags submission: These polcies are monitored are monitored by a scheduled job named trackme_dsm_tags_tracker_tenant_<tenant_id>

  • Multiple matching policies: Multiple policies can be apply, this means a given entity can receive tags from one or more tags policies

  • Lower case: Tags are automatically stored in lower case format

  • Removing tags policies: When tags policies are removed, the tags were associated with entities and from the removed policies are removed from the entities automatically

  • Tags in the KVstore records: Tags are stored in the entities KVstore records, and can be used for alerting filtering purposes

  • Tags in the user interface: Tags are displayed in the user interface for the entities

Tags policies usage example

In the following example, we have a number of entities which have in comming some patterns we can leverage for tags policies purposes:

  • geo-locations: the entities naming convention includes the source location of these feeds

  • technology information: we can also leverage some of these information to associate these entities with technology related context tags

dsm_tag_policies3.png

Example of tags policies definition:

dsm_tag_policies4.png dsm_tag_policies5.png dsm_tag_policies6.png dsm_tag_policies7.png dsm_tag_policies8.png dsm_tag_policies9.png dsm_tag_policies10.png

Once we have created our policies, the tags trackers applies the policies automatically, we can also manually execute the tags tracker and the hybrid tracker(s) to reflect these changes immediately:

dsm_tag_policies11.png

After this, tags become visible in the user interface:

dsm_tag_policies12.png dsm_tag_policies13.png

Tags can also be searched in the user interface filters:

dsm_tag_policies14.png

Tags can be used when creating a TrackMe alert:

dsm_tag_policies15.png

Tags are stored as comma separated list of values (CSV) in the KVstore collections:

| inputlookup trackme_dsm_tenant_secops-<replace with tenant_id>
| table object, *tags*
dsm_tag_policies16.png

Tags are also included in the trackme:state events:

index=trackme_summary sourcetype="trackme:state" tenant_id=<replace with tenant_id>
dsm_tag_policies17.png

Tags can also be accessed through the properties fields of TrackMe notable events:

index=trackme_notable tenant_id=<replace with tenant_id>
dsm_tag_policies18.png

Tags are stored in a dedicated KVstore collection per tenant:

| inputlookup trackme_common_tag_policies_tenant_secops-merged-all
dsm_tag_policies19.png

Troubleshoot tags policies

Tags policies tracker

The first component is the scheduled job which applies the tags policies to the entities, this job is called as follows:

  • trackme_dsm_tags_tracker_tenant_<tenant_id>

dsm_tag_policies_troubleshoot1.png

This jobs should be scheduled, and properly executed:

dsm_tag_policies_troubleshoot2.png

You can find its logs as follows:

index=_internal sourcetype=trackme:custom_commands:trackmesplktags

When you have multiple tenants, you may want to filter on the tenant identifier:

index=_internal sourcetype=trackme:custom_commands:trackmesplktags tenant_id=<replace with tenant_id>

In case of any issues with the tags policies, ensure that the job exists, is scheduled and executes properly and continue with the following steps.

Tags policies REST API endpoint

The scheduled job calls the REST API endpoint to apply the tags policies, you can review the logs for this endpoint as follows:

index=_internal sourcetype=trackme:rest_api post_tag_policies_apply

With multiple tenants, filter on the tenant identifier:

index=_internal sourcetype=trackme:rest_api post_tag_policies_apply tenant_id=<replace with tenant_id>
dsm_tag_policies_troubleshoot3.png

In case of issues, carefully review the logs and verify if there are exceptions or issues with the tags policies:

index=_internal sourcetype=trackme:rest_api post_tag_policies_apply log_level=error

The REST API endpoint can be applied manually as well, you can easily get the list of endpoints and their usage, review the REST API reference dashboard:

dsm_tag_policies_troubleshoot4.png

In fact, you can apply the tags policies manually:

| trackme mode=post url="/services/trackme/v2/splk_tag_policies/write/tag_policies_apply" body="{'tenant_id': '<replace with the tenant id>'}"
dsm_tag_policies_troubleshoot5.png

Tags policies KVstore collection

When tags policies are applied, TrackMe entities get a record with the list of associated tags, if any:

| inputlookup trackme_dsm_tags_tenant_<replace with tenant id>
dsm_tag_policies_troubleshoot6.png

When TrackMe trackers are executed, tags records are automatically crossed enriched with the entities records to form the final entities records tags fields:

| inputlookup trackme_dsm_tenant_<replace with tenant id> | table object, *tags*
dsm_tag_policies_troubleshoot7.png

Tags enrichments for splk-dhm/splk-mhm

TrackMe version 2.0.53

  • These instructions require TrackMe version 2.0.53 as some enhancements were made for this purpose

For the Data Hosts tracking and Metric Hosts tracking components, tag enrichments rely on a lookup call approach which can be system wide customised.

You can use this feature to map TrackMe entities against any knowledge lookup in Splunk, such as your CMDB or Splunk Enterprise Security Assets and Identities lookups.

This relies on the two following macros:

# splk_dhm_tags
[trackme_get_splk_dhm_tags]
definition = `trackme_tags_default_message`
iseval = 0

# splk_mhm_tags
[trackme_get_splk_mhm_tags]
definition = `trackme_tags_default_message`
iseval = 0

By default, these macros refer to the macro trackme_tags_default_message:

[trackme_tags_default_message]
definition = eval tags =  "Tags enrichment is not configured yet, consult the configuration UI TrackMe manage and configure."
iseval = 0

In the user interface, the tags enrichments can be accessed as follows:

screen01.png screen02.png

Tags tracker logs:

You can review the tags tracker logs if you encounter any issues with tags policies:

index=_internal sourcetype=trackme:custom_commands:trackmesplktags

Configuration for splk-dsm/splk-mhm

The configuration is very simple, let’s assume with the example above that we have a CMDB lookup containing the following fields:

  • asset: defines the value for the asset (could be hosts, etc)

  • domain: a domain context

  • location: location information

  • tags: The actual tags for that asset, these values can be searched and filtered from the user interface

Field tags

  • You can provide multiple fields as part of the enrichment, however only the field tags can be used within the user interface for searching and filtering purposes

  • Other fields that your enrichment would provide can be viewed within the tags screen, but these cannot be searched in the Tabulator

  • Searching and filtering on tags from the Tabulator for splk-dhm/splk-mhm requires TrackMe version 2.0.54 and later

In a simplistic manner, you would update the macro trackme_get_splk_dhm_tags for splk-dhm and trackme_get_splk_mhm_tags for splk-mhm to:

lookup cmdb_demo asset as alias

Notes: the alias represents the raw name of the entity without any addition from TrackMe.

At the next call, TrackMe performs the call to the lookup accordingly:

screen03.png

You can of course include much more content to the macro, such as restricting the output or manipulating the results if there is no match in your CMDB and so forth.

Filtering on tags from the user interface:

screen04.png