Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

add partial information from Cisco ISE logs to identities lookup

rashid47010
Communicator
‎05-25-2019 10:04 AM

I am seeing some interesting information from cisco Iogs. for example, user name, hostname name, mac address, location, connected switch port.

so
how can I add user information to identities lookup table.

furthermore how to preserve today login IP( the IP OR workstation name from where the user login) -
next day it will become yesterday data
and then compare it with today login as the stored data become yesterdays data.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎05-27-2019 05:06 AM

Hi @rashid47010,

To answer your first question : "how can I add user information to identities lookup table."
Since you are probably generating this identity lookup automatically based on a saved search them you need to craft a search that not only grabs data from your AD but also joins it to the ISE and enriches it with your required fields. All that then has to go through an outputlookupand build the identity lookup.
Note: Be careful about supported fields in identity lookup, not all fields are used by ES. Check out this link for the list of supported fields :
https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Formatassetoridentitylist#Identity_lookup_field...

As for your second question about maintaining a history of IPs, this is done naturally with the indexed data, you could always rely on your index to get your previous IPs. In case you need this in a lookup you also need to leverage the outputlookup combined with a saved search to have it run daily and build your "today" and "yesterday" list of IP used by your users.

Cheers,
David

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎05-27-2019 05:06 AM

Hi @rashid47010,

To answer your first question : "how can I add user information to identities lookup table."
Since you are probably generating this identity lookup automatically based on a saved search them you need to craft a search that not only grabs data from your AD but also joins it to the ISE and enriches it with your required fields. All that then has to go through an outputlookupand build the identity lookup.
Note: Be careful about supported fields in identity lookup, not all fields are used by ES. Check out this link for the list of supported fields :
https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Formatassetoridentitylist#Identity_lookup_field...

As for your second question about maintaining a history of IPs, this is done naturally with the indexed data, you could always rely on your index to get your previous IPs. In case you need this in a lookup you also need to leverage the outputlookup combined with a saved search to have it run daily and build your "today" and "yesterday" list of IP used by your users.

Cheers,
David

0 Karma
Reply
Solved! Jump to solution

koshyk
Super Champion
‎05-25-2019 10:47 AM

Few options are there. I assume when you say "add user information" means enriching user information like FirstName, LastName etc.?

The logic normally exists within the technology Addon (TA). You could add the enrichment directly into the TA (lookups) directory or better is to create an app of your own . eg (MY_custom_cisco_app) and create lookups within it. The lookups can be auto-generated from your active-directory or cmdb or could be manually listed.
Once you have the lookup, in new your new app, under transforms.conf add a LOOKUP-myuserenrich line to do lookup from the CISCO events to your lookup.
If you put the actual events, we can write the actual transforms.conf for you.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...