Asset and identity from multiple domains

Amire22 — Wed, 11 Jun 2025 15:47:16 GMT

Hello

I have a search head configured with assets and identity from current ad domain.

I have 5 more ad domains without trust and on different networks.

In each domain / network I have a HF sending data to indexers.

How can I set those domains to send assets and identity information to my search head?

Thank you

Re: Asset and identity from multiple domains

livehybrid — Wed, 11 Jun 2025 21:05:51 GMT

Hi @Amire22

I think you should be able to configure additional domains exactly the same way you did the first one; asset & identity data must ultimately reside in lookups (CSV or KV-store) on the ES search head, those files are not forwarded automatically by indexers/HFs.

Option A – query the directories directly from ES
- Install SA-ldapsearch (or the Splunk Add-on for Microsoft AD) on the ES search head.
- Create one stanza per domain with its own server, bindDN and credentials.
- Schedule one ldapsearch per domain that writes to a single lookup (e.g. identities.csv, assets.csv). ES will ingest those lookups when the “Identity – Lookup Gen” and “Asset – Lookup Gen” searches run.
Option B – collect on each HF and ship as events
- Install SA-ldapsearch on a HF in each domain.
- Schedule a search or scripted input that outputs CSV-formatted events and forward them to a dedicated index, e.g. index=identity.
- Use a search to pull the data into a lookup:
  Essential SPL example

index=identity sourcetype=ldap_identities
| eval category="normal"
| lookup update=true identities.csv identity OUTPUTNEW *
| outputlookup identities.csv

ES does not care where the data comes from as long as the final lookups exist on the search head. Multiple domains, lack of trust, or separate networks are irrelevant; you only need LDAP connectivity from whichever Splunk instance is executing the LDAP query.

You should probably add a domain/prefix field to your A&I lookups to show which domain the entity originates.
If you end up with a large CSV lookup consider switching to KV-store lookup.

More info on apps/addons for bringing in assets/identities info can be found at https://help.splunk.com/en/splunk-enterprise-security-8/administer/8.0/asset-and-identity-management/extract-asset-and-identity-data-in-splunk-enterprise-security#id_23cc30fd_1876_4f43_97f4_3f37d7b6d98c__Extract_asset_and_identity_data_in_Splunk_Enterprise_Security

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: Asset and identity from multiple domains

Amire22 — Thu, 12 Jun 2025 16:05:36 GMT

Thank you!

I will test option B.

topic Asset and identity from multiple domains in Splunk Enterprise Security

Asset and identity from multiple domains

Re: Asset and identity from multiple domains

Re: Asset and identity from multiple domains