1: 由于Asset 是和HR 同样重要的资源导入,就像很多Threat rule / 都有based on user 和 device.
先配置一下asset, 有的有多个IP:
Some assets can have multiple values in a field, such as multiple IP addresses or MAC addresses. Splunk UBA creates separate devices for each IP address or MAC address if the addresses are separate by commas, as shown in the following example:
192.168.10.10,192.168.10.20,192.168.10.30
For data sources such as Splunk Enterprise Security (ES) that use a delimiter other than a comma, update the attribution.keyvalue.delimiter property in the /etc/caspida/local/conf/uba-site.properties file to specify the desired delimiter.
For example, perform the following tasks to specify that multiple IP and MAC addresses are separated using a pipe (|) character instead of a comma:
Log in to the management