Splunk® Enterprise Security

Administer Splunk Enterprise Security

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Collect and extract asset and identity data in Splunk Enterprise Security

Collect and extract your asset and identity data in order to add it to Splunk Enterprise Security. In a Splunk Cloud deployment, work with Splunk Professional Services to design and implement an asset and identity collection solution. For examples of adding asset and identity data, see Example methods of adding asset and identity data to Splunk Enterprise Security.

  1. Determine where the asset and identity data in your environment is stored.
  2. Collect and update your asset and identity data automatically to reduce the overhead and maintenance that manual updating requires and improve data integrity.
  • Use Splunk DB Connect or another Splunk platform add-on to connect to an external database or repository.
  • Use scripted inputs to import and format the lists.
  • Use events indexed in the Splunk platform with a search to collect, sort, and export the data to a list.

Suggested collection methods for assets and identities.

Technology Asset or Identity data Collection methods
Active Directory Both SA-ldapsearch and a custom search. See Example methods of adding asset and identity data.
Both SecKit Windows Add On for ES Asset and Identities
LDAP Both SA-ldapsearch and a custom search.
CMDB Asset DB Connect for integrating with 3rd Party structured data sources, and a custom search.
ServiceNow Both Splunk Add-on for ServiceNow
Asset Discovery Asset Splunk for Asset Discovery
Bit9 Asset Splunk Add-on for Bit9 and a custom search.
Cisco ISE Both Splunk Add-on for Cisco ISE and a custom search.
Microsoft SCOM Asset Splunk Add-on for Microsoft SCOM and a custom search.
Okta Identity Splunk Add-on for Okta and a custom search.
Sophos Asset Splunk Add-on for Sophos and a custom search.
Symantec Endpoint Protection Asset Splunk Add-on for Symantec Endpoint Protection and a custom search.
Splunk platform Asset Add asset data from indexed events in Splunk platform.
Amazon Web Services (AWS) Asset SecKit AWS Add On for ES Asset and Identities
Configuration Management Database (CMDB) Asset SecKit SA Common tools for populating assets and identities in Enterprise Security and PCI apps

Next step

(Optional) Define identity formats in Splunk Enterprise Security

Format an asset or identity list as a lookup in Splunk Enterprise Security

PREVIOUS
Add asset and identity data to Splunk Enterprise Security
  NEXT
Define identity formats in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1


Comments

Hi Satyenshah,
Thanks for the feedback. I've made an update to help differentiate the two.

Lkutch splunk, Splunker
August 24, 2018

CMDB is listed twice in the above table. Is one of the rows a vendor-specific implementation of CMDB?

Satyenshah
August 23, 2018

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters