Splunk® Enterprise Security

Administer Splunk Enterprise Security

Splunk Enterprise Security (ES) versions 6.0.0, 6.0.1, and 6.3.0 are no longer available for download from Splunkbase as of April 15, 2021. Please upgrade to the latest version of Splunk Enterprise Security to avoid any potential issues with Assets and Identity management.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Create an identity lookup from your cloud service provider data in Splunk Enterprise Security

Use cloud service provider data to register your identities, create a lookup, and schedule a search to run on a regular basis.

Create an identity lookup

Prerequisites

  • You must already have a cloud service provider.
  • You must already be ingesting data from the cloud service provider into the Splunk platform.

Steps

Use the Asset and Identity Builder page to perform the following steps:

  1. From the Splunk Enterprise Security menu bar, select Configure > Data Enrichment > Asset and Identity Management.
  2. Click the Identity Lookups tab.
  3. Click New.
  4. Select the Cloud Services Lookup from the drop-down menu.

Name the identity lookup search

Steps

In the Search section of the Asset and Identity Builder page, perform the following steps:

  1. In the Search Name field, type a unique name for the search.
  2. From the Cloud data source drop-down menu, select one of the following options:
    • Select the name of a cloud service provider. These are listed by provider name and also by the event type used for the corresponding search, such as AWS (aws_description_ec2_instances).
    • Select Custom and when the Custom event type field appears, do one of the following:
      • Choose an event type. These are all the available event types in the Splunk platform, regardless of whether that type of data is populating in your environment.
      • Type a custom value of your own. Use this option if you have an alternate cloud source data type that you have not yet installed. See eventtypes.conf in the Splunk Enterprise Admin Manual.

After you have provided your cloud service provider, you will see messages in the custom search builder preview, such as "Valid search specifications must specify the 'lookup'." This message is normal at this point.

Auto-generate the lookup fields

Steps

In the Lookup section of the Asset and Identity Builder page, perform the following steps:

  1. In the Label field, type a lookup label for your search-driven lookup.
  2. In the Lookup field, type a unique lookup name or transform name.

The lookup CSV filename auto-completes based on the name you provided for the lookup name.

Create a search schedule

After you have completed generating the lookup fields, the custom search builder preview displays the search it has created. Click Run search to verify if the search returns results.

Steps

In the Search Schedule section of the Asset and Identity Builder page, perform the following steps:

  1. Enter a cron schedule.
  2. Select Real-time or Continuous scheduling.
  3. Click Save.

After creating a search schedule, you can access the following searches in the Enterprise Security app:

  • Saved searches in Configure > Content > Content Management.
  • Lookup tables and lookup definitions in Settings > Lookups.

Make auto-updates to assets or identities

Create the settings that are stored in the input.conf file that points to the lookup and pulls the data every 5 minutes to make updates to the identity collections. To make auto-updates to identitiess, access the New Identity Manager. The Source is auto-populated with the name of the lookup that you provided. For more information, see Identity Lookup Configuration.

Last modified on 22 November, 2021
Create an asset lookup from your cloud service provider data in Splunk Enterprise Security   Manage assets and identities in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters