splunk>enterprise
Administrator ▾Settings ▾
ES
Enterprise Security
Splunk App for Enterprise Security · v7.3.0
DAY 12 LAB · LAB 12 — BUILD A LOOKUP & MACRO· week 2
Build a knowledge object pack — lookup, eventtype, macro, tag.
- ›Configure → Lists & Lookups: define assets lookup (ip→hostname,owner,criticality).
- ›Define an automatic lookup on firewall events.
- ›Author macro `high_value_assets`.
- ›Tag-validate against CIM.
Hint: Macros + lookups + tags = the substrate ES correlation searches stand on.
Configure
Saved Searches
No saved searches. Save one from the Search tab.