Splunk® Enterprise Security

Administer Splunk Enterprise Security

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Create an asset lookup from your cloud service provider data in Splunk Enterprise Security

Use cloud service provider data to register your identities, create a lookup, and schedule a search to run on a regular basis. Creating a cloud provider lookup automatically adds specific fields into the asset list, such as:

image_id, instance_type, network_interface_id, subnet_id, vendor_account, vendor_region

.

After saving the lookup search, you can edit or delete the fields from the Asset Fields tab of Asset and Identity Management. See Manage identity field settings in Splunk Enterprise Security.

Create an asset lookup

Prerequisites

  • You must already have a cloud service provider.
  • You must already be ingesting data from the cloud service provider into the Splunk platform.

Steps

Use the Asset and Identity Builder page to perform the following steps:

  1. From the Splunk Enterprise Security menu bar, select Configure > Data Enrichment > Asset and Identity Management.
  2. Click the Asset Lookup Configuration tab.
  3. Click New.
  4. Select the Cloud Services Lookup from the drop-down menu.

Name the asset lookup search

Steps

In the Search section of the Asset and Identity Builder page, perform the following steps:

  1. In the Search Name field, type a unique name for the search.
  2. From the Cloud data source drop-down menu, select one of the following options:
    • Select the name of a cloud service provider. These are listed by provider name and also by the event type used for the corresponding search, such as AWS (aws_description_ec2_instances).
    • Select Custom and when the Custom event type field appears, do one of the following:
      • Choose an event type. These are all the available event types in the Splunk platform, regardless of whether that type of data is populating in your environment.
      • Type a custom value of your own. Use this option if you have an alternate cloud source data type that you have not yet installed. See eventtypes.conf in the Splunk Enterprise Admin Manual.

After you have provided your cloud service provider, you will see messages in the custom search builder preview, such as "Valid search specifications must specify the 'lookup'." This message is normal at this point.

Auto-generate the lookup fields

Steps

In the Lookup section of the Asset and Identity Builder page, perform the following steps:

  1. In the Label field, type a lookup label for your search-driven lookup.
  2. In the Lookup field, type a unique lookup name or transform name.

The lookup CSV filename auto-completes based on the name you provided for the lookup name.

Create a search schedule

After you have completed generating the lookup fields, the custom search builder preview displays the search it has created. Click Run search to verify if the search returns results.

Steps

In the Search Schedule section of the Asset and Identity Builder page, perform the following steps:

  1. Enter a cron schedule.
  2. Select Real-time or Continuous scheduling.
  3. Click Save.

After creating a search schedule, you can access the following searches in the Enterprise Security app:

  • Saved searches in Configure > Content > Content Management.
  • Lookup tables and lookup definitions in Settings > Lookups.

Make auto-updates to the assets

Create the settings that are stored in the input.conf file that points to the lookup and pulls the data every 5 minutes to make updates to the asset collections. To make auto-updates to assets, access the New Asset Manager. The Source is auto-populated with the name of the lookup that you provided. For more information, see Manage identity lookup configuration policies in Splunk Enterprise Security.

Last modified on 03 September, 2020
PREVIOUS
Create an identity lookup from your current LDAP data in Splunk Enterprise Security
  NEXT
Create an identity lookup from your cloud service provider data in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 6.3.0 Cloud only, 6.4.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters