Splunk Enterprise Security

Asset and identity management merge prio into lookup

eriklp
Explorer

Hi there, 

The situation is as follows. We've a scheduled search running which is doing LDAP query on Active directory and putting all computer objects into one lookup file. The lookup file is being used by Enterprise security asset and identy managment. 

We desire to put in priority for these assets. Now when we do this manually, via lookup editor, next time the scheduled search runs the priority is overwritten again with "nothing"

Therefore we created a different csv file with only the prioritized assets in (And contained the same headers as in the "master" file). We would like to overwrite the "master" lookup file from asset&Identy management with the content of that new "prio" csv. After the schedule has run. How can you we achieve that? 

Thanks in advance

Erik

Labels (1)

eriklp
Explorer

Eh, there is still no solution yet.. The LDAP search doesn't contain the prio list yet..

0 Karma

lakshman239
SplunkTrust
SplunkTrust

As @richgalloway  says, you would need to consult the lookup file that you have [ with priority assets], before finalizing them for asset/identity.

Alternatively, as you know the assets that are critical/high/medium/low priority for you, you can do also something like 

|ldapsearch ..... <your search to extract fields> | <format/change to the fields required by asset> | eval priority = < apply your logic to add priority for each asset or default to low> | outputlookup <your_org_assets.csv>

However, if you have 2 lookup files  - i.e. one is the output of the ldapsearch and other is your list with priority, you could try to merge them using  [ appears to be new, i haven't tried, but should work ]- https://docs.splunk.com/Documentation/ES/6.3.0/Admin/Overwritewithentitymerge 

eriklp
Explorer

Thanks, even better to do it beforehand. This is the LDAP search

| ldapsearch domain=blabla search="(&(objectClass=computer))" | rename dNSHostName as dns, name as nt_host, operatingSystem as category
| table nt_host,dns,category

eriklp
Explorer

Thanks, even better to do it beforehand. This is the LDAP search

| ldapsearch domain=blabla search="(&(objectClass=computer))" | rename dNSHostName as dns, name as nt_host, operatingSystem as category
| table nt_host,dns,category

richgalloway
SplunkTrust
SplunkTrust

Modify your LDAP scheduled search to consult the "prio" CSV before writing to the assets lookup file.  Share your current LDAP search for help with the specifics.

---
If this reply helps you, Karma would be appreciated.

eriklp
Explorer

Eh, there is still no solution yet.. The LDAP search doesn't contain the prio list yet..

0 Karma

eriklp
Explorer

I've provided the LDAP search..

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...