Splunk® Enterprise Security

Administer Splunk Enterprise Security

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Example methods of adding asset and identity data in Splunk Enterprise Security

These example methods cover some common ways to add asset and identity data to Splunk Enterprise Security. You can work with Splunk Professional Services to find the best solution for your environment.

Add asset and identity data from Active Directory

This example describes how to add asset and identity data from Active Directory.

Set up the Splunk Support for Active Directory app

Collect asset and identity data with the Splunk Support for Active Directory app. For information about installing and configuring the app, see Install the Splunk Supporting Add-on for Active Directory.

Collect asset and identity data from Active Directory

Collect asset and identity data from Active Directory by searching the data in SA-ldapsearch.

  1. Follow the steps to configure a new asset or identity list. See Configure a new asset or identity list in Splunk Enterprise Security.
  2. Disable the lookup file you created until you finish setting up the saved search to prevent the asset or identity data from merging with incomplete or inaccurate data. See Disable or enable asset and identity lookups.
  3. Create a saved search in SA-IdentityManagement to populate the lookup table file with the ldapsearch command. The exact syntax of this search varies depending on your AD configuration. See Example search for collecting identity data from Active Directory and Example search for collecting asset data from Active Directory for two examples.
  4. Test the merge process. See Test the asset and identity merge process in Splunk Enterprise Security.

Example search for collecting identity data from Active Directory

This example search assigns static values for category, watchlist, and priority. Use it as a guide to construct and test a working search, then replace the static values with information from your AD environment. Rename the lookup my_identity_lookup to something appropriate for your environment.

|ldapsearch domain=<domain_name> search="(&(objectclass=user)(!(objectClass=computer)))" attrs="userAccountControl,sAMAccountName,personalTitle,displayName,givenName,sn,mail,telephoneNumber,mobile,manager,department,whenCreated,accountExpires"
|makemv userAccountControl
|search userAccountControl="NORMAL_ACCOUNT"	
|eval suffix=""
|eval priority="medium"
|eval category="normal"
|eval watchlist="false"
|eval endDate="" 
|eval work_city=""
|eval work_country=""
|eval work_lat=""
|eval work_long=""
|table sAMAccountName,personalTitle,displayName,givenName,sn,suffix,mail,telephoneNumber,mobile,manager,priority,department,category,watchlist,whenCreated,endDate
|rename sAMAccountName as identity, personalTitle as prefix, displayName as nick, givenName as first, sn as last, mail as email, telephoneNumber as phone, mobile as phone2, manager as managedBy, department as bunit, whenCreated as startDate
|outputlookup my_identity_lookup

Example search for collecting asset data from Active Directory

This example search assigns static values for several fields. Use it as a guide to construct and test a working search, then replace the static values with information from your AD environment. Rename the lookup my_asset_lookup to something appropriate for your environment.

|ldapsearch domain=<domain name> search="(&(objectClass=computer))"
|eval city=""
|eval country=""
|eval priority="medium"
|eval category="normal"
|eval dns=dNSHostName
|eval owner=managedBy
|rex field=sAMAccountName mode=sed "s/\$//g"
|eval nt_host=sAMAccountName
|makemv delim="," dn
|rex field=dn "(OU|CN)\=(?<bunit>.+)"
|table ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av 
| outputlookup create_empty=false createinapp=true my_asset_lookup

Add asset data from indexed events in the Splunk platform

This example demonstrates how to identify hosts that appear in indexed events that are not currently associated with existing asset data and add those hosts to your asset lookup.

Use this example search to compare hosts communicating with the Splunk platform to the set of existing asset information and review the table of unmatched hosts. You can then export the table as an asset list.

| `host_eventcount` 
| search host_is_expected=false NOT host_asset_id=*
| fields - firstTime,recentTime,lastTime,_time, host_owner_*,host_asset_tag,host_asset_id 
| sort -totalCount,dayDiff 
| table host,ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av

Manually add new asset or identity data

Manually add new asset or identity data to Splunk Enterprise Security by editing the Assets or Identities lookups. For example, add internal subnets, IP addresses to be whitelisted, and other static asset and identity data.

  1. From the Splunk ES menu bar, select Configure > Content Management.
  2. To add asset data, click the Assets lookup to edit it. To add identity data, click the Identities list to edit it.
  3. Use the scroll bars to view the columns and rows in the table. Double click in a cell to add, change, or remove content.
  4. Save your changes.
PREVIOUS
Modify asset and identity lookups in Splunk Enterprise Security
  NEXT
Add threat intelligence to Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.0, 5.0.1, 5.1.0, 5.1.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters