- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Re: Asset and identity management merge prio into ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Asset and identity management merge prio into lookup
Hi there,
The situation is as follows. We've a scheduled search running which is doing LDAP query on Active directory and putting all computer objects into one lookup file. The lookup file is being used by Enterprise security asset and identy managment.
We desire to put in priority for these assets. Now when we do this manually, via lookup editor, next time the scheduled search runs the priority is overwritten again with "nothing"
Therefore we created a different csv file with only the prioritized assets in (And contained the same headers as in the "master" file). We would like to overwrite the "master" lookup file from asset&Identy management with the content of that new "prio" csv. After the schedule has run. How can you we achieve that?
Thanks in advance
Erik
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Eh, there is still no solution yet.. The LDAP search doesn't contain the prio list yet..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As @richgalloway says, you would need to consult the lookup file that you have [ with priority assets], before finalizing them for asset/identity.
Alternatively, as you know the assets that are critical/high/medium/low priority for you, you can do also something like
|ldapsearch ..... <your search to extract fields> | <format/change to the fields required by asset> | eval priority = < apply your logic to add priority for each asset or default to low> | outputlookup <your_org_assets.csv>
However, if you have 2 lookup files - i.e. one is the output of the ldapsearch and other is your list with priority, you could try to merge them using [ appears to be new, i haven't tried, but should work ]- https://docs.splunk.com/Documentation/ES/6.3.0/Admin/Overwritewithentitymerge
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, even better to do it beforehand. This is the LDAP search
| ldapsearch domain=blabla search="(&(objectClass=computer))" | rename dNSHostName as dns, name as nt_host, operatingSystem as category
| table nt_host,dns,category
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, even better to do it beforehand. This is the LDAP search
| ldapsearch domain=blabla search="(&(objectClass=computer))" | rename dNSHostName as dns, name as nt_host, operatingSystem as category
| table nt_host,dns,category
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Modify your LDAP scheduled search to consult the "prio" CSV before writing to the assets lookup file. Share your current LDAP search for help with the specifics.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Eh, there is still no solution yet.. The LDAP search doesn't contain the prio list yet..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've provided the LDAP search..
Take Your Breath Away with Splunk Risk-Based Alerting (RBA)
SignalFlow: What? Why? How?
Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows
