Collect and extract asset and identity data in Splunk Enterprise Security
Collect and extract your asset and identity data in order to add it to Splunk Enterprise Security. In a Splunk Cloud Platform deployment, work with Splunk Professional Services to design and implement an asset and identity collection solution.
- Determine where the asset and identity data in your environment is stored.
- Collect and update your asset and identity data automatically to reduce the overhead and maintenance that manual updating requires and improve data integrity.
- Use Splunk DB Connect or another Splunk platform add-on to connect to an external database or repository.
- Use scripted inputs to import and format the lists.
- Use events indexed in the Splunk platform with a search to collect, sort, and export the data to a list.
Suggested collection methods for assets and identities.
|Technology||Asset or Identity data||Collection methods|
|Active Directory||Both||SA-ldapsearch and a custom search.|
|Both||SecKit Windows Add On for ES Asset and Identities *|
|LDAP||Both||SA-ldapsearch and a custom search.|
|CMDB||Asset||DB Connect for integrating with 3rd Party structured data sources, and a custom search.|
|ServiceNow||Both||Splunk Add-on for ServiceNow|
|Bit9||Asset||Splunk Add-on for Bit9 and a custom search.|
|Cisco ISE||Both||Splunk Add-on for Cisco ISE and a custom search.|
|Microsoft SCOM||Asset||Splunk Add-on for Microsoft SCOM and a custom search.|
|Okta||Identity||Splunk Add-on for Okta and a custom search. *|
|Sophos||Asset||Splunk Add-on for Sophos and a custom search.|
|Symantec Endpoint Protection||Asset||Splunk Add-on for Symantec Endpoint Protection and a custom search.|
|Amazon Web Services (AWS)||Asset||SecKit AWS Add On for ES Asset and Identities *|
|Configuration Management Database (CMDB)||Asset||SecKit SA Common tools for populating assets and identities in Enterprise Security and PCI apps *|
Manage asset and identity upon upgrade
Format an asset or identity list as a lookup in Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2