Splunk Enterprise Security

The Asset Center and Identity Center dashboard.

aalhabbash1
Path Finder

Hi Splunkers;

Before was Asset Center and Identity Center dashboards takes results from assets.csv and identities.csv this is good, Now after update assets.csv and identities.csv the results appeared on those dashboards takes from identities_expanded.csv and assets_by_str.csv.
Why this behavior occurred? and how make it to take results from assests.csv and identities.csv.
Please help us in that.

0 Karma
1 Solution

aalhabbash1
Path Finder

Hi jawaharas;

Thank you for your reply.
We have 4.7.4 for 'Splunk Enterprise Security' app and 6.6.5 for 'Splunk Enterprise'

And the 'Enable Identity Generation Autoupdate' setting is true already from initial.

But when I set | identity_sources in search the results appeared from identities.csv.

But still the issue existing in Asset Center and Identity Center dashboards in ES, please help me.

Regards;

View solution in original post

0 Karma

jawaharas
Motivator

Checklist:
1. Verify whether you can view the assets.csv and identities.csv lookup table under 'Identity Management' page and they are categorized as asset and identify respectively.
2. Also, these lookup table should be in 'Enabled' state.
3. If it's still not working add the lookup table entry in below macros (Settings->Advanced Search->Macros)
a) assets.csv to asset_sources macro. Add below code to your macro at the beginning

inputlookup append=t assets |

b) identities.csv to identity_sources macro.

inputlookup append=t identities |

Note: Lookup definition should be created for your lookup tables for these code to work.

0 Karma

jawaharas
Motivator

@aalhabbash1
Click Accept on this answer. Not on your own comment pls.

0 Karma

aalhabbash1
Path Finder

@jawaharas

All the above which you mentioned already existing.

And the issue has been resolved, only I did disable then enable for static_assets and static_identities in Identity Management in ES.

Thank you for your support

0 Karma

jawaharas
Motivator

Glad it helped you to resolve the issue. Please accept and/or upvote the answer!

0 Karma

aalhabbash1
Path Finder

Hi jawaharas;

Thank you for your reply.
We have 4.7.4 for 'Splunk Enterprise Security' app and 6.6.5 for 'Splunk Enterprise'

And the 'Enable Identity Generation Autoupdate' setting is true already from initial.

But when I set | identity_sources in search the results appeared from identities.csv.

But still the issue existing in Asset Center and Identity Center dashboards in ES, please help me.

Regards;

0 Karma

jawaharas
Motivator

@aalhabbash1

identities_expanded.csv lookup is cumulative output of all identities lookup table configured under ESS. This lookup table is populated the repot 'Identity - Identity Matches - Lookup Gen'. So, ideally it should have entries from identies.csv lookup file as as well.

'Identity - Identity Matches - Lookup Gen' - Report's query:
| identity_sources | make_identities | eval iden_mktime_meval(startDate),iden_mktime_meval(endDate),identity=mvsort(identity) | sort 0 +identity | outputlookup output_format=splunk_mv_csv identity_lookup_expanded

Can you explain about the issue you are facing?

Note: Pls reply to this thread rather posting your response as a new answer.

0 Karma

aalhabbash1
Path Finder

@jawaharas
The issue which I facing is the Asset Center and Identity Center dashboards in ES displaying results from the default assets and identities lookup table (assets_by_str.csv and identities_expanded.csv) not from the assets and Identity file which I created (assets.csv and identities.csv), I need to display results from (assets.csv and identities.csv) not from (assets_by_str.csv and identities_expanded.csv) how I can obtain that?

and 'Enable Identity Generation Autoupdate' setting already set before.

0 Karma

jawaharas
Motivator

Make sure you have set below setting as true in 'Configure-->General Settings' configuration page of ESS app.

'Enable Identity Generation Autoupdate'

Because, If true, it permits the Identity Manager to auto-update asset_sources, identity_sources, and generate_identities macros. Also, you can verify the list of lookup table in your identity sources using below macro.

| `identity_sources`

Tip: Use 'Ctrl+Shift+E' (in Windows) to expand the macro and view it's content.

Reference: https://docs.splunk.com/Documentation/ES/5.3.1/Admin/Addassetandidentitydata

0 Karma

jawaharas
Motivator

Which version of 'Splunk Enterprise Security' app you are using?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...