Add asset and identity data to Splunk Enterprise Security
Splunk Enterprise Security uses an asset and identity system to correlate asset and identity information with events to enrich and provide context to your data. This system takes information from external data sources to populate lookups, which are then correlated with events at search time. See Configure asset and identity correlation in Splunk Enterprise Security.
Add asset and identity data to Splunk Enterprise Security to take advantage of asset and identity correlation.
- Collect and extract asset and identity data.
- Format the asset or identity list as a lookup.
- Configure a new asset or identity list.
- Define identity formats on the identity configuration page.
- Splunk Enterprise Security merges the asset and identity lists.
- Verify that your asset or identity data was added to Splunk Enterprise Security.
- Configure asset and identity correlation in Splunk Enterprise Security.
Collect and extract asset and identity data
Collect and extract your asset and identity data in order to add it to Splunk Enterprise Security. In a Splunk Cloud deployment, work with Splunk Professional Services to design and implement an asset and identity collection solution.
Determine where the asset and identity data in your environment is stored, and collect and update your asset and identity data automatically to reduce the overhead and maintenance that manual updating requires and improve data integrity.
- Use Splunk DB Connect or another Splunk platform add-on to connect to an external database or repository.
- Use scripted inputs to import and format the lists.
- Use events indexed in the Splunk platform with a search to collect, sort, and export the data to a list.
See Example methods of adding asset and identity data to Splunk Enterprise Security.
Suggested collection methods for assets and identities.
Technology | Asset or Identity data | Collection methods |
---|---|---|
Active Directory | Both | SA-ldapsearch and a custom search. |
LDAP | Both | SA-ldapsearch and a custom search. |
CMDB | Asset | DB Connect and a custom search. |
ServiceNow | Both | Splunk Add-on for ServiceNow |
Asset Discovery | Asset | Asset Discovery App |
Bit9 | Asset | Splunk Add-on for Bit9 and a custom search. |
Cisco ISE | Both | Splunk Add-on for Cisco ISE and a custom search. |
Microsoft SCOM | Asset | Splunk Add-on for Microsoft SCOM and a custom search. |
Okta | Identity | Splunk Add-on for Okta and a custom search. |
Sophos | Asset | Splunk Add-on for Sophos and a custom search. |
Symantec Endpoint Protection | Asset | Splunk Add-on for Symantec Endpoint Protection and a custom search. |
Splunk platform | Asset | Add asset data from indexed events in Splunk platform. |
Format the asset or identity list as a lookup
Create a plain text, CSV-formatted file with Unix line endings. Use the correct headers for the CSV file. See Asset and identity lookup header and field reference.
For an example asset list, review the demo_assets.csv
file in SA-IdentityManagement/package/lookups
. If you use a custom search to generate a lookup, make sure that the lookup produced by the search results contains fields that match the headers.
Configure a new asset or identity list
Configure a new asset or identity list as a lookup in Splunk Enterprise Security. This process creates the lookup in Splunk Enterprise Security and defines the lookup for the merge process.
Prerequisites
The lookup file must be a plain text, CSV-format file with Unix line endings and include a .csv
filename extension.
Add the new lookup table file.
- From the Splunk menu bar, select Settings > Lookups > Lookup table files.
- Click New.
- Select a Destination App of SA-IdentityManagement.
- Select the lookup file to upload.
- Type the Destination filename that the lookup table file should have on the search head. The name should include the filename extension.
For example,network_assets_from_CMDB.csv
- Click Save to save the lookup table file and return to the list of lookup table files.
Set permissions on the lookup table file to share it with Splunk Enterprise Security.
- From Lookup table files, locate the new lookup table file and select Permissions.
- Set Object should appear in to All apps.
- Set Read access for Everyone.
- Set Write access for
admin
or other roles. - Click Save.
Add a new lookup definition.
- From the Splunk menu bar, select Settings > Lookups > Lookup definitions.
- Click New.
- Select a Destination App of SA-IdentityManagement.
- Type a name for the lookup source. This name must match the name defined later in the input stanza definition on the Identity Management dashboard.
For example,network_assets_from_CMDB
. - Select a Type of File based.
- Select the lookup table file created.
For example, selectnetwork_assets_from_CMDB.csv
. - Click Save.
Set permissions on the lookup definition to share it with Splunk Enterprise Security.
- From Lookup definitions, locate the new lookup definition and select Permissions.
- Set Object should appear in to All apps.
- Set Read access for Everyone.
- Set Write access for
admin
or other roles. - Click Save.
Add an input stanza for the lookup source.
- Return to Splunk Enterprise Security.
- From the Splunk ES menu bar, select Configure > Data Enrichment > Identity Management.
- Click New.
- Type the name of the lookup.
For example,network_assets_from_CMDB
. - Type a Category to describe the new asset or identity list.
For example, CMDB_network_assets. - Type a Description of the contents of the list.
For example, network assets from the CMDB. - Type asset or identity to define the type of list.
For example, asset. - Type a Source that refers to the lookup definition name.
For example,lookup://network_assets_from_CMDB
.
Define identity formats on the identity configuration page
Define the identity formats that identify users in your environment on the Identity Lookup Configuration page. Changes made on the Identity Lookup Configuration page modify the identityLookup.conf
file.
- From the Splunk ES menu bar, select Configure > Data Enrichment > Identity Lookup Configuration.
- (Optional) Deselect the check box for Email if email addresses do not identify users in your environment.
- (Optional) Deselect the check box for Email short if the username of an email address does not identify users in your environment.
- (Optional) Select the check box for Convention if you want to define custom conventions to use to identify users. Click Add a new convention to add a custom convention.
For example, identify users by the first 3 letters of their first name and last name with the conventionfirst(3)last(3)
. - (Optional) Select the check box for Case Sensitive to require case sensitive identity matching. Case sensitive identity matching produces fewer matches.
- Click Save.
Splunk Enterprise Security merges the asset and identity lists
Splunk Enterprise Security merges the asset and identity lists every five minutes with a saved search. See How Splunk Enterprise Security processes and merges asset and identity data.
Verify that your asset or identity data was added to Splunk Enterprise Security
Verify that your asset or identity data was added to Splunk Enterprise Security by searching and viewing dashboards.
Review asset lookup data
Verify that a specific asset record exists in the asset lookup.
- Choose an asset record with data the
ip
,mac
,nt_host
, ordns
fields from an asset list. - Search for it in Splunk Web.
| makeresults | eval src="1.2.3.4" | `get_asset(src)`
View the available assets on the Asset Center dashboard. See Asset Center dashboard in this manual.
View all available assets with the assets macro.
| `assets`
View all available assets using the data model.
|`datamodel("Identity_Management", "All_Assets")` |`drop_dm_object_name("All_Assets")`
Review identity lookup data
Verify that a specific identity record exists in the identity lookup.
- Choose an identity record with data in the
identity
field. - Search for it in Splunk Web.
| makeresults | eval user="VanHelsing" | `get_identity4events(user)`
View the available identities on the Identity Center dashboard. See Identity Center dashboard.
View all available identities with the identities macro.
| `identities`
View all available identities in the data model.
|`datamodel("Identity_Management", "All_Identities")` |`drop_dm_object_name("All_Identities")`
User Activity Monitoring | Configure asset and identity correlation in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0 Cloud only
Feedback submitted, thanks!