Splunk® Enterprise Security

Administer Splunk Enterprise Security

Create an identity lookup from your cloud service provider data in Splunk Enterprise Security

Use cloud service provider data to register your identities, create a lookup, and schedule a search to run on a regular basis.

Create an identity lookup

Prerequisites

  • You must already have a cloud service provider.
  • You must already be ingesting data from the cloud service provider into the Splunk platform.

Steps

Use the Asset and Identity Builder page to perform the following steps:

  1. From the Splunk Enterprise Security menu bar, select Configure then Datasets then, Assets and identities.
  2. Select the Identity Lookups tab.
  3. Select New.
  4. Select the Cloud Services Lookup from the drop-down menu.

Name the identity lookup search

Steps

In the Search section of the Asset and Identity Builder page, perform the following steps:

  1. In the Search Name field, type a unique name for the search.
  2. From the Cloud data source drop-down menu, select one of the following options:
    • Select the name of a cloud service provider. These are listed by provider name and also by the event type used for the corresponding search, such as AWS (aws_description_ec2_instances).
    • Select Custom and when the Custom event type field appears, do one of the following:
      • Choose an event type. These are all the available event types in the Splunk platform, regardless of whether that type of data is populating in your environment.
      • Type a custom value of your own. Use this option if you have an alternate cloud source data type that you have not yet installed. See eventtypes.conf in the Splunk Enterprise Admin Manual.

After you have provided your cloud service provider, you will see messages in the custom search builder preview, such as "Valid search specifications must specify the 'lookup'." This message is normal at this point.

Auto-generate the lookup fields

Steps

In the Lookup section of the Asset and Identity Builder page, perform the following steps:

  1. In the Label field, type a lookup label for your search-driven lookup.
  2. In the Lookup field, type a unique lookup name or transform name.

The lookup CSV filename auto-completes based on the name you provided for the lookup name.

Create a search schedule

After you have completed generating the lookup fields, the custom search builder preview displays the search it has created. Select Run search to verify if the search returns results.

Steps

In the Search Schedule section of the Asset and Identity Builder page, perform the following steps:

  1. Enter a cron schedule.
  2. Select Real-time or Continuous scheduling.
  3. Select Save.

After creating a search schedule, you can access the following searches in the Enterprise Security app:

  • Saved searches in Content management.
  • Lookup tables and lookup definitions in Settings > Lookups.

Make auto-updates to assets or identities

Create the settings that are stored in the input.conf file that points to the lookup and pulls the data every 5 minutes to make updates to the identity collections. To make auto-updates to identitiess, access the New Identity Manager. The Source is auto-populated with the name of the lookup that you provided. For more information, see Identity Lookup Configuration.

Last modified on 26 August, 2024
Create an asset lookup from your cloud service provider data in Splunk Enterprise Security   Supported data sources in behavioral analytics service

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters