Splunk® Enterprise Security

Use Splunk Enterprise Security

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Add asset and identity data to Splunk Enterprise Security

Splunk Enterprise Security uses an asset and identity system to correlate asset and identity information with events to enrich and provide context to your data. This system takes information from external data sources to populate lookups, which are then correlated with events at search time. See Configure asset and identity correlation in Splunk Enterprise Security.

Add asset and identity data to Splunk Enterprise Security to take advantage of asset and identity correlation.

  1. Collect and extract asset and identity data.
  2. Format the asset or identity list as a lookup.
  3. Configure a new asset or identity list.
  4. Define identity formats on the identity configuration page.
  5. Splunk Enterprise Security merges the asset and identity lists.
  6. Verify that your asset or identity data was added to Splunk Enterprise Security.
  7. Configure asset and identity correlation in Splunk Enterprise Security.

Collect and extract asset and identity data

Collect and extract your asset and identity data in order to add it to Splunk Enterprise Security. In a Splunk Cloud deployment, work with Splunk Professional Services to design and implement an asset and identity collection solution.

Determine where the asset and identity data in your environment is stored, and collect and update your asset and identity data automatically to reduce the overhead and maintenance that manual updating requires and improve data integrity.

  • Use Splunk DB Connect or another Splunk platform add-on to connect to an external database or repository.
  • Use scripted inputs to import and format the lists.
  • Use events indexed in the Splunk platform with a search to collect, sort, and export the data to a list.

See Example methods of adding asset and identity data to Splunk Enterprise Security.

Suggested collection methods for assets and identities.

Technology Asset or Identity data Collection methods
Active Directory Both SA-ldapsearch and a custom search.
LDAP Both SA-ldapsearch and a custom search.
CMDB Asset DB Connect and a custom search.
ServiceNow Both Splunk Add-on for ServiceNow
Asset Discovery Asset Asset Discovery App
Bit9 Asset Splunk Add-on for Bit9 and a custom search.
Cisco ISE Both Splunk Add-on for Cisco ISE and a custom search.
Microsoft SCOM Asset Splunk Add-on for Microsoft SCOM and a custom search.
Okta Identity Splunk Add-on for Okta and a custom search.
Sophos Asset Splunk Add-on for Sophos and a custom search.
Symantec Endpoint Protection Asset Splunk Add-on for Symantec Endpoint Protection and a custom search.
Splunk platform Asset Add asset data from indexed events in Splunk platform.

Format the asset or identity list as a lookup

Create a plain text, CSV-formatted file with Unix line endings. Use the correct headers for the CSV file. See Asset and identity lookup header and field reference.

For an example asset list, review the demo_assets.csv file in SA-IdentityManagement/package/lookups. If you use a custom search to generate a lookup, make sure that the lookup produced by the search results contains fields that match the headers.

Configure a new asset or identity list

Configure a new asset or identity list as a lookup in Splunk Enterprise Security. This process creates the lookup in Splunk Enterprise Security and defines the lookup for the merge process.

Prerequisites The lookup file must be a plain text, CSV-format file with Unix line endings and include a .csv filename extension.

Add the new lookup table file.

  1. From the Splunk menu bar, select Settings > Lookups > Lookup table files.
  2. Click New.
  3. Select a Destination App of SA-IdentityManagement.
  4. Select the lookup file to upload.
  5. Type the Destination filename that the lookup table file should have on the search head. The name should include the filename extension.
    For example, network_assets_from_CMDB.csv
  6. Click Save to save the lookup table file and return to the list of lookup table files.

Set permissions on the lookup table file to share it with Splunk Enterprise Security.

  1. From Lookup table files, locate the new lookup table file and select Permissions.
  2. Set Object should appear in to All apps.
  3. Set Read access for Everyone.
  4. Set Write access for admin or other roles.
  5. Click Save.

Add a new lookup definition.

  1. From the Splunk menu bar, select Settings > Lookups > Lookup definitions.
  2. Click New.
  3. Select a Destination App of SA-IdentityManagement.
  4. Type a name for the lookup source. This name must match the name defined later in the input stanza definition on the Identity Management dashboard.
    For example, network_assets_from_CMDB.
  5. Select a Type of File based.
  6. Select the lookup table file created.
    For example, select network_assets_from_CMDB.csv.
  7. Click Save.

Set permissions on the lookup definition to share it with Splunk Enterprise Security.

  1. From Lookup definitions, locate the new lookup definition and select Permissions.
  2. Set Object should appear in to All apps.
  3. Set Read access for Everyone.
  4. Set Write access for admin or other roles.
  5. Click Save.

Add an input stanza for the lookup source.

  1. Return to Splunk Enterprise Security.
  2. From the Splunk ES menu bar, select Configure > Data Enrichment > Identity Management.
  3. Click New.
  4. Type the name of the lookup.
    For example, network_assets_from_CMDB.
  5. Type a Category to describe the new asset or identity list.
    For example, CMDB_network_assets.
  6. Type a Description of the contents of the list.
    For example, network assets from the CMDB.
  7. Type asset or identity to define the type of list.
    For example, asset.
  8. Type a Source that refers to the lookup definition name.
    For example, lookup://network_assets_from_CMDB.

Define identity formats on the identity configuration page

Define the identity formats that identify users in your environment on the Identity Lookup Configuration page. Changes made on the Identity Lookup Configuration page modify the identityLookup.conf file.

  1. From the Splunk ES menu bar, select Configure > Data Enrichment > Identity Lookup Configuration.
  2. (Optional) Deselect the check box for Email if email addresses do not identify users in your environment.
  3. (Optional) Deselect the check box for Email short if the username of an email address does not identify users in your environment.
  4. (Optional) Select the check box for Convention if you want to define custom conventions to use to identify users. Click Add a new convention to add a custom convention.
    For example, identify users by the first 3 letters of their first name and last name with the convention first(3)last(3).
  5. (Optional) Select the check box for Case Sensitive to require case sensitive identity matching. Case sensitive identity matching produces fewer matches.
  6. Click Save.

Splunk Enterprise Security merges the asset and identity lists

Splunk Enterprise Security merges the asset and identity lists every five minutes with a saved search. See How Splunk Enterprise Security processes and merges asset and identity data.

Verify that your asset or identity data was added to Splunk Enterprise Security

Verify that your asset or identity data was added to Splunk Enterprise Security by searching and viewing dashboards.

Review asset lookup data

Verify that a specific asset record exists in the asset lookup.

  1. Choose an asset record with data the ip, mac, nt_host, or dns fields from an asset list.
  2. Search for it in Splunk Web.

    | makeresults | eval src="1.2.3.4" | `get_asset(src)`

View the available assets on the Asset Center dashboard. See Asset Center dashboard in this manual.

View all available assets with the assets macro.

| `assets`

View all available assets using the data model.

|`datamodel("Identity_Management", "All_Assets")` |`drop_dm_object_name("All_Assets")`

Review identity lookup data

Verify that a specific identity record exists in the identity lookup.

  1. Choose an identity record with data in the identity field.
  2. Search for it in Splunk Web.

    | makeresults | eval user="VanHelsing" | `get_identity4events(user)`

View the available identities on the Identity Center dashboard. See Identity Center dashboard.

View all available identities with the identities macro.

| `identities`

View all available identities in the data model.

|`datamodel("Identity_Management", "All_Identities")` |`drop_dm_object_name("All_Identities")`

PREVIOUS
User Activity Monitoring
  NEXT
Configure asset and identity correlation in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0 Cloud only


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters