Splunk® Enterprise Security

Use Splunk Enterprise Security

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Example methods of adding asset and identity data to Splunk Enterprise Security

These example methods cover some common ways to add asset and identity data to Splunk Enterprise Security. You can work with Splunk Professional Services to find the best solution for your environment.

Add asset and identity data from Active Directory

Add asset and identity data from Active Directory.

Set up the Splunk Support for Active Directory app

Collect asset and identity data with the Splunk Support for Active Directory app. Install and configure the app. See Install the Splunk Supporting Add-on for Active Directory.

Collect asset and identity data from Active Directory

Collect asset and identity data from Active Directory by searching the data in SA-ldapsearch.

  1. Follow the steps to configure a new asset or identity list. See Add asset and identity data to Splunk Enterprise Security.
  2. Disable the lookup file you created until you finish setting up the saved search to prevent the asset or identity data from merging with incomplete or inaccurate data. See Disable or enable asset or identity lookups.
  3. Create a saved search in SA-IdentityManagement to populate the lookup table file with the ldapsearch command. The exact syntax of this search varies depending on your AD configuration.
  4. Test the merge process. See Test the asset and identity merge process.

Example search for collecting identity data from Active Directory

This example search assigns static values for "suffix", "endDate", "category", "watchlist", and "priority". Use it as a guide to construct and test a working search, then replace the static values with information from your AD environment. Rename the lookup my_identity_lookup to something appropriate for your environment.

|ldapsearch domain=<domain_name> search="(&(objectclass=user)(!(objectClass=computer)))"
|makemv userAccountControl
|search userAccountControl="NORMAL_ACCOUNT"	
|eval suffix=""
|eval priority="medium"
|eval category="normal"
|eval watchlist="false"
|eval endDate="" 
|table sAMAccountName,personalTitle,displayName,givenName,sn,suffix,mail,telephoneNumber,mobile,manager,priority,department,category,watchlist,whenCreated,endDate
|rename sAMAccountName as identity, personalTitle as prefix, displayName as nick, givenName as first, sn as last, mail as email, telephoneNumber as phone, mobile as phone2, manager as managedBy, department as bunit, whenCreated as startDate
|outputlookup my_identity_lookup

Example search for collecting asset data from Active Directory

This example search assigns static values for several fields. Use it as a guide to construct and test a working search, then replace the static values with information from your AD environment. Rename the lookup my_asset_lookup to something appropriate for your environment.

|ldapsearch domain=<domain name> search="(&(objectClass=computer))"
|eval city=""
|eval country=""
|eval priority="medium"
|eval category="normal"
|eval dns=dNSHostName
|eval owner=managedBy
|rex field=sAMAccountName mode=sed "s/\$//g"
|eval nt_host=sAMAccountName
|makemv delim="," dn
|rex field=dn "(OU|CN)\=(?<org>.+)"
|table ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av 
| outputlookup create_empty=false createinapp=true my_asset_lookup

Add asset data from indexed events in Splunk platform

Identify hosts that appear in indexed events that are not currently associated with existing asset data and add those hosts to your asset lookup.

Use this example search to compare hosts communicating with the Splunk platform to the set of existing asset information and review the table of unmatched hosts. You can then export the table as an asset list.

| `host_eventcount` 
| search host_is_expected=false NOT host_asset_id=*
| fields - firstTime,recentTime,lastTime,_time, host_owner_*,host_asset_tag,host_asset_id 
| sort -totalCount,dayDiff 
| table host,ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av

Manually add new asset or identity data

Manually add new asset or identity data to Splunk Enterprise Security by editing the static_assets and static_identities lists. For example, add internal subnets, IP addresses that should be whitelisted, and other static asset and identity data.

  1. From the Splunk ES menu bar, Select Configure > Data Enrichment > Lists and Lookups.
  2. To add asset data, click the "static_assets" list to edit it. To add identity data, click the "static_identities" list to edit it.
  3. Use the scroll bars to view the columns and rows in the table. Double click in a cell to add, change, or remove content.
  4. Click Save.
PREVIOUS
Modify asset and identity lookups in Splunk Enterprise Security
  NEXT
Access dashboards

This documentation applies to the following versions of Splunk® Enterprise Security: 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0 Cloud only


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters