Manage identity lookup configuration policies in Splunk Enterprise Security
Create an identity lookup configuration policy to update and enrich your identities. Identity lookup settings create the configuration that updates the inputs.conf file to point to a lookup and update your identities. When you add new items, or update current items, the change takes effect in 5 minutes.
Prerequisites
Perform the following prerequisite tasks before starting on these settings:
- Collect and extract asset and identity data in Splunk Enterprise Security.
- Format the asset or identity list as a lookup in Splunk Enterprise Security.
- Configure a new asset or identity list in Splunk Enterprise Security.
Add an identity input stanza for the lookup source
To add a new identity input source, do the following:
- From the Splunk ES menu bar, select Configure > Data Enrichment > Asset and Identity Management.
- Click the Identity Lookup Configuration tab.
- Click New.
- In the New Identity Manager, do the following:
- Select the transforms.conf definition from the Source drop-down list that corresponds to the CSV source file of assets you uploaded in the prerequisite step.
- You can provide a name for the identity list stanza, but matching the source name is a good idea.
- Enter a descriptive category for this identity list, such as east_coast_employees or strategic_executives.
- Enter a detailed description of the contents of this identity list.
- Check the Denylist check box to exclude the lookup file from bundle replication.
The asset and identity source lookup files are excluded from bundle replication in an indexer cluster by default. The merged lookup files are still included in bundle replication to support asset and identity correlation. Changing the default to include asset and identity lookup files in bundle replication might reduce system performance. See Knowledge bundle replication overview in the Splunk Enterprise Distributed Search manual.
- In Lookup List Type, identity is selected for you.
- In Lookup Field Exclusion List, select fields for the merge process to ignore. This excludes the fields and their values from the KV store collections for that particular lookup. You might use this in the case where you have a field in your source file that you don't want to rely on for information.
Do not use identity in the field exclusion list if you want to use the optional conventions that follow. The conventions are extracted from the identity field.
- (Optional) Configure the conventions that the identity lookup can use to create a common unique key between different identity sources that might otherwise lack the same field.
When an email convention check box is checked, the email address is used as an additional primary key for identity. The Email convention is turned on by default.- Click Email to use the full email address.
- Click Email Short to use the email username.
- Click + Add a new convention to add a custom convention:
You can identify users by the first few letters of their first name and the first few letters of their last name, based on the columns in the Identities Table. Use the convention of identity_first(n)middle(n)last(n) where identity, first, and last are any columns from the Identities Table, and where n is a number starting with 0. For example:- "Claudia Maria Garcia" using the convention first(3)last(3) is "clagar"
- "Rutherford Michael Sullivan" using the convention first(1)middle(1).last() is "rm.sullivan"
- "Vanya Patel" using the convention ADMIN_first(1)last() is "ADMIN_vpatel"
- Multiple matches are resolved automatically by taking the first match in the table or manually by specifying identity values.
- Click Save.
Rank the order for merging identities
Any new identity list gets added to the bottom of the page by default. You can rank the order of this list to determine priority for merging identities. If an identity exists in multiple source files as a single value, or exists multiple times in the same source file, this ranking is the weighted order for merging them. By default, the single value identity fields are as follows:
- endDate
- priority
- startDate
- watchlist
These are the fields where the rank takes effect. For example, if you're merging two identities, that both have the priority field value, you need to choose one to take precedence. The row at the top of the list takes precedence and the merge process uses that value, as opposed to the row that's ranked second.
To change the rank, do the following under the Identity Lookup Configuration tab:
- Drag and drop the rows of the table into a new order.
- When finished reordering, click Save Ranking.
Ranking is not considered for a multivalue field. The merge process combines all the values into the field, and then removes the duplicates.
Modify identity lookups
Make changes to the identity lookups in Splunk Enterprise Security to add new identities or change existing values in the lookup tables. You can also turn on or turn off existing lookups.
- In Enterprise Security, select Configure > Data Enrichment > Asset and Identity Management.
- Find the name of the identity list you want to edit, and select the corresponding lookup from the Source column. The list opens in an interactive editor.
- Use the scroll bars to view the columns and rows in the table. Double-click a cell to add, change, or remove content.
- Click Save when you are finished.
Manually add static identity data
Manually add new static identity data to Splunk Enterprise Security by editing the Identities lookups. For example, add internal subnets, IP addresses to be allowlisted, and other static asset and identity data.
- From the Splunk Enterprise Security menu bar, select Configure > Content > Content Management.
- To add identity data, click the Identities list to edit it.
- Use the scroll bars to view the columns and rows in the table. Double-click in a cell to add, change, or remove content.
- Save your changes.
Then you can see the lookup registered as static_identities or in Configure > Data Enrichment > Asset and Identity Management.
Turn off the demo identity lookups
The demo identity lookups are turned off by default. Turn them on if needed for testing. Turn off the demo identity lookups to prevent the demo data from being added to the primary asset and identity lookups used by Splunk Enterprise Security for asset and identity correlation.
- In Enterprise Security, select Configure > Data Enrichment > Asset and Identity Management.
- Locate the demo_identities lookups.
- Click Disable.
Delete the identity lookup
Delete the source file configuration of an identity lookup configuration if you do not want a specific identity lookup source file to be processed when the Identity Manager modular input runs.
- In Enterprise Security, select Configure > Data Enrichment > Asset and Identity Management.
- Locate the identity lookup that you created.
You may not delete the identities that are available by default.
- In the Edit Identity Manager dialog, click Delete.
Manage asset field settings in Splunk Enterprise Security | Manage identity field settings in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2
Feedback submitted, thanks!