Splunk Enterprise Security

Splunk ES Assets and identity setup

splunkcol
Builder

Hi, has anyone worked with Assets and identity from Splunk Enterprise Security?

I already have the App "Splunk Supporting Add-on for Active Directory" installed

From the app I do connection tests and they are successful but when I enter Splunk ES I do not see Assets and Identity information

What should I check?

splunkcol_0-1613051624070.png

 

splunkcol_1-1613051703809.png

 

Labels (1)
0 Karma

splunkcol
Builder

 

Yes, that is what I need but it is not very clear to me, I need support from someone who can guide me since the documentation is not very clear

at this moment I know that I must enter the tab "Data on Boarding"

splunkcol_0-1613062871661.png

but it is not clear to me that I must fill out the form

 

splunkcol_0-1613063505631.png

 

0 Karma

lakshman239
Influencer

One approach you could follow 

1.using the LDAP/AD addon that you have pull all the required fields for asset and identity. On to a temp index 

2. Using the events from temp index, create, format and validate the fields and create required lookups.

3. Update asset/identity inputs/macros to your custom lookups

 

 

 

 

 

 

splunkcol
Builder

Thanks for your answer, because there is no more specific documentation on what are the values ​​that I could put in that form, could you give me an example of how to fill those fields?

0 Karma
Get Updates on the Splunk Community!

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...

Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...