Collect and extract asset and identity data in Splunk Enterprise Security
Collect and extract your asset and identity data in order to add it to Splunk Enterprise Security. In a Splunk Cloud Platform deployment, work with Splunk Professional Services to design and implement an asset and identity collection solution.
- Determine where the asset and identity data in your environment is stored.
- Collect and update your asset and identity data automatically to reduce the overhead and maintenance that manual updating requires and improve data integrity.
- Use Splunk DB Connect or another Splunk platform add-on to connect to an external database or repository.
- Use scripted inputs to import and format the lists.
- Use events indexed in the Splunk platform with a search to collect, sort, and export the data to a list.
Suggested collection methods for assets and identities.
Technology | Asset or Identity data | Collection methods |
---|---|---|
Active Directory | Both | SA-ldapsearch and a custom search. |
Both | SecKit Windows Add On for ES Asset and Identities * | |
LDAP | Both | SA-ldapsearch and a custom search. |
CMDB | Asset | DB Connect for integrating with 3rd Party structured data sources, and a custom search. |
ServiceNow | Both | Splunk Add-on for ServiceNow |
Bit9 | Asset | Splunk Add-on for Bit9 and a custom search. |
Cisco ISE | Both | Splunk Add-on for Cisco ISE and a custom search. |
Microsoft SCOM | Asset | Splunk Add-on for Microsoft SCOM and a custom search. |
Okta | Identity | Splunk Add-on for Okta and a custom search. * |
Sophos | Asset | Splunk Add-on for Sophos and a custom search. |
Symantec Endpoint Protection | Asset | Splunk Add-on for Symantec Endpoint Protection and a custom search. |
Amazon Web Services (AWS) | Both | Create Cloud Asset Lookup and Create Cloud Identity Lookup |
Azure | Both | Create Cloud Asset Lookup and Create Cloud Identity Lookup |
Google Cloud Platform | Both | Create Cloud Asset Lookup and Create Cloud Identity Lookup |
Configuration Management Database (CMDB) | Asset | SecKit SA Common tools for populating assets and identities in Enterprise Security and PCI apps * |
Next step
Format an asset or identity list as a lookup in Splunk Enterprise Security
Manage asset and identity upon upgrade | Format an asset or identity list as a lookup in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2
Feedback submitted, thanks!