back to day 21
WEEK_3 · DAY_21 · LAB
Lab 21 — Wire Asset & Identity
Enrich every event with context — feeds, assets, identities
LAB PROGRESS0/4 steps · 0%
Lab Objectives
- ›Add a custom threat intel feed (IPs, domains, hashes)
- ›Build the Asset framework (CSV → ES)
- ›Build the Identity framework (HR + AD → ES)
- ›See urgency change automatically based on asset/identity priority
Lab Instructions
- 1Open Splunk ES → Configure → Data Enrichment.
- 2Imagine assets.csv (10 rows) and identities.csv (10 rows).
- 3Tag 2 hosts as priority=critical (PCI), 1 user as priority=critical (CFO).
- 4Predict: which Notable Events would now escalate to urgency=critical?