Getting Data In

Assistance Needed for Setting Up Assets and Identity from Scratch

AL3Z
Builder

Hi,

Can someone please assist me in setting up assets and identity from the scratch, and what prerequisites are necessary for this?

Thanks in advance.

Labels (2)
0 Karma

jvarner92
Splunk Employee
Splunk Employee

Honestly, you just need two sources of truth. One for hardware, which I typically see in customer environments as tenable, crowdstrike, or some sort of application that scans most of the network devices that is reliable. One for identities, which I have used okta, ldap, or some sort of identities service. Then next I would create some spl that would look like the following: (This example I am using okta)

index=prod_okta user=*@*
| eval identity = user
| rename profile.* AS *
| eval prefix = honorificPrefix
| eval nick = nickName
| eval first = firstName
| eval last = lastName
| eval suffix = honorificSuffix
| eval email = ciscoUsername
| eval phone = primaryPhone
| eval managedBy = manager
| eval priority = debugContext.debugData.risk
| eval bunit = coalesce(label,department)
| eval category = actor.type
| eval watchlist = admin_interest
| eval startDate = thousandeyesStartDate
| eval endDate = thousandeyesTermDate
| eval work_city = city
| eval work_country = country
| eval work_lat = latitude
| eval work_long = longitude
| eval device_name = client.device
| eval work_state = state
| eval postal_code = postal
| eval employee_num = employeeNumber
| eval employee_status = employmentStatus
| eval manager_id = managerId
| eval manager_email = mgr_email
| eval postal_address = postalAddress
| eval sam_account_name = sAMAccountName
| eval second_email = secondEmail
| eval mobile_phone = mobilePhone
| eval title = title
| stats first(prefix) AS prefix first(nick) AS nick first(first) AS first values(last) AS last first(suffix) AS suffix first(email) AS email first(phone) AS phone first(managedBy) AS managedBy first(priority) AS priority first(bunit) AS bunit first(category) AS category first(watchlist) AS watchlist first(startDate) AS startDate first(endDate) AS endDate first(work_city) AS work_city first(work_country) AS work_country first(work_lat) AS work_lat first(work_long) AS work_long first(device_name) AS device_name first(work_state) AS work_state first(postal_code) AS postal_code first(employee_num) AS employee_num first(employee_status) AS employee_status first(manager_id) AS manager_id first(manager_email) AS manager_email first(postal_address) AS postal_address first(sam_account_name) AS sam_account_name first(second_email) AS second_email first(mobile_phone) AS mobile_phone first(title) AS title by identity
| table identity prefix nick first last suffix email phone managedBy priority bunit category watchlist startDate endDate work_city work_country work_lat work_long epkey device_name work_state postal_code employee_num employee_status manager_id manager_email postal_address sam_account_name second_email mobile_phone title
| append [| inputlookup okta_identies.csv]
| stats first(prefix) AS prefix first(nick) AS nick first(first) AS first values(last) AS last first(suffix) AS suffix first(email) AS email first(phone) AS phone first(managedBy) AS managedBy first(priority) AS priority first(bunit) AS bunit first(category) AS category first(watchlist) AS watchlist first(startDate) AS startDate first(endDate) AS endDate first(work_city) AS work_city first(work_country) AS work_country first(work_lat) AS work_lat first(work_long) AS work_long first(device_name) AS device_name first(work_state) AS work_state first(postal_code) AS postal_code first(employee_num) AS employee_num first(employee_status) AS employee_status first(manager_id) AS manager_id first(manager_email) AS manager_email first(postal_address) AS postal_address first(sam_account_name) AS sam_account_name first(second_email) AS second_email first(mobile_phone) AS mobile_phone first(title) AS title by identity
| outputlookup okta_identies.csv

Hope this helps.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z,

if you don't want to manually manage Assets and Identities (I'm supposing that you are speaking of ES) the prerequisites is the availability ox external archives containing the company assets and identities that you can query using a script or an ldap query or a DB-Connect query.

So having these archives, you have to query them saving resuts in an index and from the index in the predefined ES lookups.

Obviously this job requires that you analyzed your data and the record set of ES Assets and Identities.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...