Configure a new asset or identity list in Splunk Enterprise Security
Configure a new asset or identity lookup in Splunk Enterprise Security. This multistep process adds the lookup in Splunk Enterprise Security and defines the lookup for the merge process.
Prerequisite Format an asset or identity list as a lookup in Splunk Enterprise Security.
Steps
- Add the new lookup table file
- Set permissions on the lookup table file to share it with Splunk Enterprise Security
- Add a new lookup definition
- Set permissions on the lookup definition to share it with Splunk Enterprise Security
- Add an input stanza for the lookup source
- (Optional) Force a merge
Add the new lookup table file
- From the Splunk menu bar, select Settings > Lookups > Lookup table files.
- Click New.
- Select a Destination App of SA-IdentityManagement.
- Select the lookup file to upload.
- Type the Destination filename that the lookup table file should have on the search head. The name should include the filename extension.
For example,network_assets_from_CMDB.csv
- Click Save to save the lookup table file and return to the list of lookup table files.
- From Lookup table files, locate the new lookup table file and select Permissions.
- Set Object should appear in to All apps.
- Set Read access for Everyone.
- Set Write access for
admin
or other roles. - Click Save.
Add a new lookup definition
- From the Splunk menu bar, select Settings > Lookups > Lookup definitions.
- Click New.
- Select a Destination App of SA-IdentityManagement.
- Type a name for the lookup source. This name must match the name defined later in the input stanza definition on the Identity Management dashboard.
For example,network_assets_from_CMDB
. - Select a Type of File based.
- Select the lookup table file created.
For example, selectnetwork_assets_from_CMDB.csv
. - Click Save.
- From Lookup definitions, locate the new lookup definition and select Permissions.
- Set Object should appear in to All apps.
- Set Read access for Everyone.
- Set Write access for
admin
or other roles. - Click Save.
Add an input stanza for the lookup source
- Return to Splunk Enterprise Security.
- From the Splunk ES menu bar, select Configure > Data Enrichment > Identity Management.
- Click New.
- Type the name of the lookup.
For example,network_assets_from_CMDB
. - Type a Category to describe the new asset or identity list.
For example, CMDB_network_assets. - Type a Description of the contents of the list.
For example, network assets from the CMDB. - Type asset or identity to define the type of list.
- Type a Source that refers to the lookup definition name.
For example,lookup://network_assets_from_CMDB
. - Click Save.
- Wait five minutes. Splunk Enterprise Security merges the asset and identity lists every five minutes with a saved search. For an explanation of this process, see How Splunk Enterprise Security processes and merges asset and identity data.
Force a merge
You can also run the primary saved searches directly to force a merge immediately without waiting the five minutes for the scheduled search to run.
- Open the Search page.
- Run the primary saved searches.
| from savedsearch:"Identity - Asset String Matches - Lookup Gen"
| from savedsearch:"Identity - Asset CIDR Matches - Lookup Gen"
| from savedsearch:"Identity - Identity Matches - Lookup Gen"
Next step
Verify that your asset and identity data was added to Splunk Enterprise Security
Format an asset or identity list as a lookup in Splunk Enterprise Security | Manage asset field settings in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2
Feedback submitted, thanks!