topic Re: Splunk App for Enterprise Security: How does Identity Management work? in Splunk Enterprise Security

Splunk App for Enterprise Security: How does Identity Management work?

smlrwd — Mon, 28 Sep 2020 20:15:46 GMT

Hello everyone,

I was tasked with changing over our Identity management information in splunk since we switched vendors for the information. The person who worked with splunk during the install to set everything up doesn't work here anymore and I don't quite understand how it works.

In ES I go to Configure->Identity Management and I see a static asset lookup @ lookup://simple_asset_lookup
In ES I go to Configure->Data Enrichment->Lists and Lookups->Assets and it shows assets.csv

What is the difference between these two and what are they each used for? Right now, they look identical. Do they have to be?

I have created a search to populate the csv files with data from the new source.
Can I populate the csv files with more fields than are currently there?
How can I configure what can be put into these csv files and what information is monitored?

Thanks for any help you can provide.

Re: Splunk App for Enterprise Security: How does Identity Management work?

ekost — Mon, 15 Jun 2015 21:08:37 GMT

Identity Management is a part of the "data onboarding" portion of working with asset and identity information in ES. Both assets and identities are stored as lookup files. The lookups have specific fields and requirements, a .csv structure, and may be populated manually or dynamically. You may also configure both dynamic and manually updated content, as all configured lookups of a type are loaded and compared, with the resulting merged list being used for Identities reference and search in ES.
http://docs.splunk.com/Documentation/ES/3.3.0/Install/IdentityManager
http://docs.splunk.com/Documentation/ES/3.3.0/Install/IdentityManager#Integrate_new_sources_of_asset_and_identity_information

Lists and Lookups is a handy page to review and edit lookup content. http://docs.splunk.com/Documentation/ES/3.3.0/Install/Applicationprotocolsblacklist#Lists_and_lookups_editor
Identities relate to user information such as credentials, roles, email addresses, or sites. http://docs.splunk.com/Documentation/ES/3.3.0/Install/IdentityManager#Identities_fields
Assets relate to network devices such as servers, workstations, routers, switches, and other devices. http://docs.splunk.com/Documentation/ES/3.3.0/Install/IdentityManager#Asset_fields
For ES to provide a complete perspective, you will need both assets and identities configured.

Can I populate the csv files with more fields than are currently there? Adding additional fields beyond what is defined and required for the lookup won’t prevent the lookup from being merged, but you won’t see the added fields and they won’t be used with the provided ES searches.
How can I configure what can be put into these csv files and what information is monitored? The Identity fields and requirements are defined by ES. If your content is correctly mapped to the fields, you will see the results in the proper context depending upon the dashboard/data you're viewing. If you're looking for customization, I would speak to your Sales Engineer to discuss the use case.

Re: Splunk App for Enterprise Security: How does Identity Management work?

evgnt — Sun, 06 Sep 2015 15:07:29 GMT

This answer really helps, but I have a related follow-up. Does field order in the custom input file matter? Assuming you bring in the default required fields (are all fields actually required?), should you just append any extra fields to the end?

One might wonder, "Why would you bring in any more fields than ES Identity would process?" We would use the extra fields in the CSV file to augment queries with that information on an as needed basis. I would suppose that if we really wanted to we could augment the Assets and Identities model with any fields we believed to be additionally important, but I'm not certain how that would impact other functionality in ES.

Thanks for any additional information you can provide.

Re: Splunk App for Enterprise Security: How does Identity Management work?

ekost — Tue, 08 Sep 2015 19:00:31 GMT

Asset and Identity lookups were designed around a specific set of fields. An asset needs one or more of: ip, mac, nt_host, or dns, An identity needs: identity. The rest are optional. There's no need to extend the assets and identity fields, just add a new lookup based upon the key field you'd like to enrich.

Re: Splunk App for Enterprise Security: How does Identity Management work?

stefan1988 — Wed, 05 Oct 2016 10:55:29 GMT

Actually in our case we would like to add additional fields for our assets/identities so that this will be visible in Asset Investigator once you search on a particular asset. Unfortunately these additional fields are not mappable to the default key fields.
I couldn't find documentation on how to add custom fields. Does anyone know how to realize this?

Re: Splunk App for Enterprise Security: How does Identity Management work?

ekost — Wed, 05 Oct 2016 16:04:59 GMT

To clarify, would you like to define additional fields to be exposed in the Asset Investigator "Event Panel" when selecting an event, or group of events in an existing swim lane? Or, are you trying to add a new swim lane for Asset Investigator representing events matching a new or custom field?

Re: Splunk App for Enterprise Security: How does Identity Management work?

stefan1988 — Wed, 05 Oct 2016 17:55:47 GMT

I would like to add additional fields in the top panel of Asset Investigator. The top panel is giving information about nt_host, ip, etc. I would like to add a custom field into it. (so this has nothing to do with the swim lane below)

Re: Splunk App for Enterprise Security: How does Identity Management work?

ekost — Thu, 06 Oct 2016 17:15:59 GMT

At the moment, there's no support for adding displayed fields via the UI in ES. I suppose that the page code could be modified, but you'd break 'something' when upgrading to later releases of ES. I suggest you write up the use-case and submit it as an enhancement request.

Re: Splunk App for Enterprise Security: How does Identity Management work?

gndivya — Wed, 20 Nov 2019 09:55:26 GMT

@ekost,
Could you please explain the point - "The lookups have specific fields and requirements, a .csv structure, and may be populated manually or dynamically. " how to populate the lookup dynamically in a distributed environment, such as AWS?

Re: Splunk App for Enterprise Security: How does Identity Management work?

ekost — Wed, 20 Nov 2019 18:06:32 GMT

Good day! Having assets (hosts or other object) in AWS is not unique, but the tool used to track or assign those assets should have a report output that you could extract, format, and load into ES. The documentation around the Asset and Identity data structure and ways to collect that data is worth a read.

Re: Splunk App for Enterprise Security: How does Identity Management work?

ekost — Wed, 20 Nov 2019 18:14:49 GMT

Can I populate the csv files with more fields than are currently there?

With the release of Enterprise Security 6.0, the Asset and Identity framework supports adding custom fields. See Manage assets and identities in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual.