Create an identity lookup from your current LDAP data in Splunk Enterprise Security
Use LDAP to register your identities, create a lookup, and schedule a search to run on a regular basis.
This requires the Splunk Supporting Add-on for Active Directory for access to the
| ldapsearch command. See Collect and extract asset and identity data in Splunk Enterprise Security.
To get started with the Asset and Identity Builder, do the following:
- From the Splunk Enterprise Security menu bar, select Configure > Data Enrichment > Asset and Identity Management.
- Click the Identity Lookup Configuration tab.
- Click New.
- Select the LDAP Lookup from the drop-down menu.
In the search section, do the following to name the lookup generating search:
- Provide a unique name for the search.
- Provide your LDAP domain.
Once you have provided your LDAP domain, you will see messages in the custom search builder preview, such as "InvalidLDAPSearchSpec: Valid LDAP search specifications must supply a lookup." This message is normal at this point.
In the lookup section, do the following:
- Provide a lookup label for your search-driven lookup.
- Provide a unique lookup name and/or transform name.
- The lookup filename .csv will auto-complete based on the name you provided for the lookup name.
Once you have completed the lookup fields, the custom search builder preview will show the search it has created. Click Run search to verify if the search returns results.
In the search schedule section, do the following to run the search on a regular basis:
- Enter a cron schedule.
- Select Real-time or Continuous scheduling.
- Click Save.
This saves two things:
- Saved searches that you can find in Configure > Content > Content Management
- Lookup table and lookup definition that you can find in Settings > Lookups
The next step is where you begin to create the settings stored in the
input.conf file that points to the lookup and pulls the data every 5 minutes to make updates to the asset or identity collections.
Since this example is for an identity, the next window that pops up is the New Identity Manager.
- The Source is auto-populated with the name of the lookup that you provided.
- See Identity Lookup Configuration.
Create an asset lookup from your current LDAP data in Splunk Enterprise Security
Create an asset lookup from your cloud service provider data in Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 6.3.0 Cloud only