Splunk Enterprise Security

Splunk ES Assets and identity setup

splunkcol
Contributor

Hi, has anyone worked with Assets and identity from Splunk Enterprise Security?

I already have the App "Splunk Supporting Add-on for Active Directory" installed

From the app I do connection tests and they are successful but when I enter Splunk ES I do not see Assets and Identity information

What should I check?

splunkcol_0-1613051624070.png

 

splunkcol_1-1613051703809.png

 

Labels (1)
0 Karma

splunkcol
Contributor

 

Yes, that is what I need but it is not very clear to me, I need support from someone who can guide me since the documentation is not very clear

at this moment I know that I must enter the tab "Data on Boarding"

splunkcol_0-1613062871661.png

but it is not clear to me that I must fill out the form

 

splunkcol_0-1613063505631.png

 

0 Karma

lakshman239
SplunkTrust
SplunkTrust

One approach you could follow 

1.using the LDAP/AD addon that you have pull all the required fields for asset and identity. On to a temp index 

2. Using the events from temp index, create, format and validate the fields and create required lookups.

3. Update asset/identity inputs/macros to your custom lookups

 

 

 

 

 

 

splunkcol
Contributor

Thanks for your answer, because there is no more specific documentation on what are the values ​​that I could put in that form, could you give me an example of how to fill those fields?

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...