Splunk Enterprise Security

Splunk App for Enterprise Security: How does Identity Management work?

smlrwd
Explorer

Hello everyone,

I was tasked with changing over our Identity management information in splunk since we switched vendors for the information. The person who worked with splunk during the install to set everything up doesn't work here anymore and I don't quite understand how it works.

In ES I go to Configure->Identity Management and I see a static asset lookup @ lookup://simple_asset_lookup
In ES I go to Configure->Data Enrichment->Lists and Lookups->Assets and it shows assets.csv

What is the difference between these two and what are they each used for? Right now, they look identical. Do they have to be?

I have created a search to populate the csv files with data from the new source.
Can I populate the csv files with more fields than are currently there?
How can I configure what can be put into these csv files and what information is monitored?

Thanks for any help you can provide.

ekost
Splunk Employee
Splunk Employee

Can I populate the csv files with more fields than are currently there?

With the release of Enterprise Security 6.0, the Asset and Identity framework supports adding custom fields. See Manage assets and identities in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual.

0 Karma

ekost
Splunk Employee
Splunk Employee

Identity Management is a part of the "data onboarding" portion of working with asset and identity information in ES. Both assets and identities are stored as lookup files. The lookups have specific fields and requirements, a .csv structure, and may be populated manually or dynamically. You may also configure both dynamic and manually updated content, as all configured lookups of a type are loaded and compared, with the resulting merged list being used for Identities reference and search in ES.
http://docs.splunk.com/Documentation/ES/3.3.0/Install/IdentityManager
http://docs.splunk.com/Documentation/ES/3.3.0/Install/IdentityManager#Integrate_new_sources_of_asset...

Lists and Lookups is a handy page to review and edit lookup content. http://docs.splunk.com/Documentation/ES/3.3.0/Install/Applicationprotocolsblacklist#Lists_and_lookup...
Identities relate to user information such as credentials, roles, email addresses, or sites. http://docs.splunk.com/Documentation/ES/3.3.0/Install/IdentityManager#Identities_fields
Assets relate to network devices such as servers, workstations, routers, switches, and other devices. http://docs.splunk.com/Documentation/ES/3.3.0/Install/IdentityManager#Asset_fields
For ES to provide a complete perspective, you will need both assets and identities configured.

  • Can I populate the csv files with more fields than are currently there? Adding additional fields beyond what is defined and required for the lookup won’t prevent the lookup from being merged, but you won’t see the added fields and they won’t be used with the provided ES searches.
  • How can I configure what can be put into these csv files and what information is monitored? The Identity fields and requirements are defined by ES. If your content is correctly mapped to the fields, you will see the results in the proper context depending upon the dashboard/data you're viewing. If you're looking for customization, I would speak to your Sales Engineer to discuss the use case.

gndivya
Explorer

@ekost,
Could you please explain the point - "The lookups have specific fields and requirements, a .csv structure, and may be populated manually or dynamically. " how to populate the lookup dynamically in a distributed environment, such as AWS?

0 Karma

ekost
Splunk Employee
Splunk Employee

Good day! Having assets (hosts or other object) in AWS is not unique, but the tool used to track or assign those assets should have a report output that you could extract, format, and load into ES. The documentation around the Asset and Identity data structure and ways to collect that data is worth a read.

0 Karma

evgnt
New Member

This answer really helps, but I have a related follow-up. Does field order in the custom input file matter? Assuming you bring in the default required fields (are all fields actually required?), should you just append any extra fields to the end?

One might wonder, "Why would you bring in any more fields than ES Identity would process?" We would use the extra fields in the CSV file to augment queries with that information on an as needed basis. I would suppose that if we really wanted to we could augment the Assets and Identities model with any fields we believed to be additionally important, but I'm not certain how that would impact other functionality in ES.

Thanks for any additional information you can provide.

0 Karma

ekost
Splunk Employee
Splunk Employee

Asset and Identity lookups were designed around a specific set of fields. An asset needs one or more of: ip, mac, nt_host, or dns, An identity needs: identity. The rest are optional. There's no need to extend the assets and identity fields, just add a new lookup based upon the key field you'd like to enrich.

stefan1988
Path Finder

Actually in our case we would like to add additional fields for our assets/identities so that this will be visible in Asset Investigator once you search on a particular asset. Unfortunately these additional fields are not mappable to the default key fields.
I couldn't find documentation on how to add custom fields. Does anyone know how to realize this?

0 Karma

ekost
Splunk Employee
Splunk Employee

To clarify, would you like to define additional fields to be exposed in the Asset Investigator "Event Panel" when selecting an event, or group of events in an existing swim lane? Or, are you trying to add a new swim lane for Asset Investigator representing events matching a new or custom field?

stefan1988
Path Finder

I would like to add additional fields in the top panel of Asset Investigator. The top panel is giving information about nt_host, ip, etc. I would like to add a custom field into it. (so this has nothing to do with the swim lane below)

0 Karma

ekost
Splunk Employee
Splunk Employee

At the moment, there's no support for adding displayed fields via the UI in ES. I suppose that the page code could be modified, but you'd break 'something' when upgrading to later releases of ES. I suggest you write up the use-case and submit it as an enhancement request.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...