Splunk® Enterprise Security

Administer Splunk Enterprise Security

Splunk Enterprise Security (ES) versions 6.0.0, 6.0.1, and 6.3.0 are no longer available for download from Splunkbase as of April 15, 2021. Please upgrade to the latest version of Splunk Enterprise Security to avoid any potential issues with Assets and Identity management.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Create an identity lookup from your current LDAP data in Splunk Enterprise Security

Use LDAP to register your identities, create a lookup, and schedule a search to run on a regular basis.

Prerequisites
This requires the Splunk Supporting Add-on for Active Directory for access to the | ldapsearch command. See Collect and extract asset and identity data in Splunk Enterprise Security.

To get started with the Asset and Identity Builder, do the following:

  1. From the Splunk Enterprise Security menu bar, select Configure > Data Enrichment > Asset and Identity Management.
  2. Click the Identity Lookup Configuration tab.
  3. Click New.
  4. Select the LDAP Lookup from the drop-down menu.

Search

In the search section, do the following to name the lookup generating search:

  1. Provide a unique name for the search.
  2. Provide your LDAP domain.

Once you have provided your LDAP domain, you will see messages in the custom search builder preview, such as "InvalidLDAPSearchSpec: Valid LDAP search specifications must supply a lookup." This message is normal at this point.

Lookup

In the lookup section, do the following:

  1. Provide a lookup label for your search-driven lookup.
  2. Provide a unique lookup name and/or transform name.
  3. The lookup filename .csv will auto-complete based on the name you provided for the lookup name.

Search schedule

Once you have completed the lookup fields, the custom search builder preview will show the search it has created. Click Run search to verify if the search returns results.

In the search schedule section, do the following to run the search on a regular basis:

  1. Enter a cron schedule.
  2. Select Real-time or Continuous scheduling.
  3. Click Save.

This saves two things:

  • Saved searches that you can find in Configure > Content > Content Management
  • Lookup table and lookup definition that you can find in Settings > Lookups

Identity management

The next step is where you begin to create the settings stored in the input.conf file that points to the lookup and pulls the data every 5 minutes to make updates to the asset or identity collections.

Since this example is for an identity, the next window that pops up is the New Identity Manager.

  1. The Source is auto-populated with the name of the lookup that you provided.
  2. See Identity Lookup Configuration.
Last modified on 22 November, 2021
Create an asset lookup from your current LDAP data in Splunk Enterprise Security   Create an asset lookup from your cloud service provider data in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters