Example methods of adding asset and identity data in Splunk Enterprise Security
These example methods cover some common ways to add asset and identity data to Splunk Enterprise Security. You can work with Splunk Professional Services to find the best solution for your environment.
Add asset and identity data from Active Directory
This example describes how to add asset and identity data from Active Directory.
Set up the Splunk Support for Active Directory app
Collect asset and identity data with the Splunk Support for Active Directory app. For information about installing and configuring the app, see Install the Splunk Supporting Add-on for Active Directory.
Collect asset and identity data from Active Directory
Collect asset and identity data from Active Directory by searching the data in SA-ldapsearch.
- Follow the steps to configure a new asset or identity list. See Configure a new asset or identity list in Splunk Enterprise Security.
- Disable the lookup file you created until you finish setting up the saved search to prevent the asset or identity data from merging with incomplete or inaccurate data. See Disable or enable asset and identity lookups.
- Create a saved search in SA-IdentityManagement to populate the lookup table file with the
ldapsearchcommand. The exact syntax of this search varies depending on your AD configuration. See Example search for collecting identity data from Active Directory and Example search for collecting asset data from Active Directory for two examples.
- Test the merge process. See Test the asset and identity merge process in Splunk Enterprise Security.
Example search for collecting identity data from Active Directory
This example search assigns static values for
priority. Use it as a guide to construct and test a working search, then replace the static values with information from your AD environment. Rename the lookup
my_identity_lookup to something appropriate for your environment.
|ldapsearch domain=<domain_name> search="(&(objectclass=user)(!(objectClass=computer)))" attrs="userAccountControl,sAMAccountName,personalTitle,displayName,givenName,sn,mail,telephoneNumber,mobile,manager,department,whenCreated,accountExpires" |makemv userAccountControl |search userAccountControl="NORMAL_ACCOUNT" |eval suffix="" |eval priority="medium" |eval category="normal" |eval watchlist="false" |eval endDate="" |eval work_city="" |eval work_country="" |eval work_lat="" |eval work_long="" |table sAMAccountName,personalTitle,displayName,givenName,sn,suffix,mail,telephoneNumber,mobile,manager,priority,department,category,watchlist,whenCreated,endDate |rename sAMAccountName as identity, personalTitle as prefix, displayName as nick, givenName as first, sn as last, mail as email, telephoneNumber as phone, mobile as phone2, manager as managedBy, department as bunit, whenCreated as startDate |outputlookup my_identity_lookup
Example search for collecting asset data from Active Directory
This example search assigns static values for several fields. Use it as a guide to construct and test a working search, then replace the static values with information from your AD environment. Rename the lookup
my_asset_lookup to something appropriate for your environment.
|ldapsearch domain=<domain name> search="(&(objectClass=computer))" |eval city="" |eval country="" |eval priority="medium" |eval category="normal" |eval dns=dNSHostName |eval owner=managedBy |rex field=sAMAccountName mode=sed "s/\$//g" |eval nt_host=sAMAccountName |makemv delim="," dn |rex field=dn "(OU|CN)\=(?<bunit>.+)" |table ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av | outputlookup create_empty=false createinapp=true my_asset_lookup
Add asset data from indexed events in the Splunk platform
This example demonstrates how to identify hosts that appear in indexed events that are not currently associated with existing asset data and add those hosts to your asset lookup.
Use this example search to compare hosts communicating with the Splunk platform to the set of existing asset information and review the table of unmatched hosts. You can then export the table as an asset list.
| `host_eventcount` | search host_is_expected=false NOT host_asset_id=* | fields - firstTime,recentTime,lastTime,_time, host_owner_*,host_asset_tag,host_asset_id | sort -totalCount,dayDiff | table host,ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av
Manually add new asset or identity data
Manually add new asset or identity data to Splunk Enterprise Security by editing the Assets or Identities lookups. For example, add internal subnets, IP addresses to be whitelisted, and other static asset and identity data.
- From the Splunk ES menu bar, select Configure > Content Management.
- To add asset data, click the Assets lookup to edit it. To add identity data, click the Identities list to edit it.
- Use the scroll bars to view the columns and rows in the table. Double click in a cell to add, change, or remove content.
- Save your changes.
Modify asset and identity lookups
Add threat intelligence to Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.0, 5.0.1, 5.1.0, 5.1.1
Feedback submitted, thanks!