Create an asset lookup from your cloud service provider data in Splunk Enterprise Security
Use cloud service provider data to register your identities, create a lookup, and schedule a search to run on a regular basis. Creating a cloud provider lookup automatically adds specific fields into the asset list, such as:
image_id, instance_type, network_interface_id, subnet_id, vendor_account, vendor_region
After saving the lookup search, you can edit or delete the fields from the Asset Fields tab of Asset and Identity Management. See Manage identity field settings in Splunk Enterprise Security.
Create an asset lookup
- You must already have a cloud service provider.
- You must already be ingesting data from the cloud service provider into the Splunk platform.
Use the Asset and Identity Builder page to perform the following steps:
- From the Splunk Enterprise Security menu bar, select Configure > Data Enrichment > Asset and Identity Management.
- Click the Asset Lookup Configuration tab.
- Click New.
- Select the Cloud Services Lookup from the drop-down menu.
Name the asset lookup search
In the Search section of the Asset and Identity Builder page, perform the following steps:
- In the Search Name field, type a unique name for the search.
- From the Cloud data source drop-down menu, select one of the following options:
- Select the name of a cloud service provider. These are listed by provider name and also by the event type used for the corresponding search, such as AWS (aws_description_ec2_instances).
- Select Custom and when the Custom event type field appears, do one of the following:
- Choose an event type. These are all the available event types in the Splunk platform, regardless of whether that type of data is populating in your environment.
- Type a custom value of your own. Use this option if you have an alternate cloud source data type that you have not yet installed. See eventtypes.conf in the Splunk Enterprise Admin Manual.
After you have provided your cloud service provider, you will see messages in the custom search builder preview, such as "Valid search specifications must specify the 'lookup'." This message is normal at this point.
Auto-generate the lookup fields
In the Lookup section of the Asset and Identity Builder page, perform the following steps:
- In the Label field, type a lookup label for your search-driven lookup.
- In the Lookup field, type a unique lookup name or transform name.
The lookup CSV filename auto-completes based on the name you provided for the lookup name.
Create a search schedule
After you have completed generating the lookup fields, the custom search builder preview displays the search it has created. Click Run search to verify if the search returns results.
In the Search Schedule section of the Asset and Identity Builder page, perform the following steps:
- Enter a cron schedule.
- Select Real-time or Continuous scheduling.
- Click Save.
After creating a search schedule, you can access the following searches in the Enterprise Security app:
- Saved searches in Configure > Content > Content Management.
- Lookup tables and lookup definitions in Settings > Lookups.
Make auto-updates to the assets
Create the settings that are stored in the input.conf file that points to the lookup and pulls the data every 5 minutes to make updates to the asset collections. To make auto-updates to assets, access the New Asset Manager. The Source is auto-populated with the name of the lookup that you provided. For more information, see Manage identity lookup configuration policies in Splunk Enterprise Security.
Create an identity lookup from your current LDAP data in Splunk Enterprise Security
Create an identity lookup from your cloud service provider data in Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0