The Splunk SA-IdentityAssetExtraction add-on works with various data sources to create and populate asset and identity information. Asset and identity information within this app is integrated with Enterprise Security (ES) Identity framework to enrich and correlate events with customer-defined information.
Supported sources for identity collection:
- Active directory (via SA-ldapsearch)
Supported sources for asset collection:
- Active directory (via SA-ldapsearch)
- Splunk deployment clients
- AWS EC2 (via Splunk App for AWS)
- ServiceNow CMDB (future)
- Microsoft SCCM (future)
- McAfee ePO (future)
Project found at https://github.com/hire-vladimir/SA-IdentityAssetExtraction. Interested in contributing? Create a pull request or open an issue on GitHub!
- Splunk 6.5+, 6.6+, 7.0+
- Enterprise Security 3+, 4+, 5+
- SA-ldapsearch 2.1+
- AWS TA 4+
Following are pre-requisites are dependent on data sources that will be used for integration:
- SA-ldapsearch app is installed. The application can be installed from here: https://splunkbase.splunk.com/app/1151/ Documentation: http://docs.splunk.com/Documentation/SA-LdapSearch/latest/User/AbouttheSplunkSupportingAdd-onforActiveDirectory. App should be configured with default domain name configuration. Note, the scheduled searches assume default domain is configured, search tuning will be required for different names.
To install the SA-IdentityAssetExtraction app you can either unpack the package under $SPLUNK_HOME/etc/apps or install via Manage Apps -> Install app from file from Splunk. The application will not require Splunk restart, if installed via UI. This app only needed to be present on the search head.
By default, scheduled searches that generate asset and identity data are disabled, they must be enabled after review to ensure they fit into your environment.
Did you know: Splunk allows you to install .zip based apps via the UI, meaning, you are able to install master.zip generated by GitHub.
Every organization/environment is different, and therefore you will need to adjust the priority, category, and any additional fields to satisfy your requirements. Several eval and case examples have been included in each of the searches to get you started.
The SA-IdentityAssetExtraction add-on consists of several settings and knowledge objects.
SA leverages scheduled searches to continuously build refresh asset and identity data. Searches output all fields required by Enterprise Security asset and identity lookups. Note, search scheduled times can be modified based on the desired frequency.
- ldap_assets - Populates asset information from AD and runs every day at 02:00 AM. Generates
$SPLUNK_HOME/etc/apps/SA-IdentityAssetExtraction/lookups/ldap_assets.csv - ldap_identities - Populates identity information from AD and runs every day at 12:00 AM. Generates
$SPLUNK_HOME/etc/apps/SA-IdentityAssetExtraction/lookups/ldap_identities.csv - splunk_deployment_server_assets - Populates and merges information from Splunk Deployment Server logs into an asset lookup. This search runs everyday for the last 24 hours at 03:00 AM. Generates
$SPLUNK_HOME/etc/apps/SA-IdentityAssetExtraction/lookups/splunk_deployment_server_assets.csv.csv - aws_ec2_assets - Populates asset information from AWS EC2 information and runs every day at midnight. Generates
$SPLUNK_HOME/etc/apps/SA-IdentityAssetExtraction/lookups/aws_ec2_assets.csv
There are three inputs that are used to perform identity and asset merge functionality within Enterprise Security, they are located under $SPLUNK_HOME/etc/apps/SA-IdentityAssetExtraction/default
- [identity_manager://ldap_identities]
- [identity_manager://ldap_assets]
- [identity_manager://splunk_deployment_server_assets]
- [identity_manager://aws_ec2_assets]
There are three lookup definition stanzas found under $SPLUNK_HOME/etc/apps/SA-IdentityAssetExtraction/default
- [ldap_identities]
- [ldap_assets]
- [splunk_deployment_server_assets]
- [aws_ec2_assets]
-
I am not using Splunk app for Enterprise Security (ES), and seeing errors related to
identity_manageron startup, such as listed below. SA-IdentityAssetExtraction is developed to work with ES, and as such requires special components. To use this SA without ES, simply rename$SPLUNK_HOME/etc/apps/SA-IdentityAssetExtraction/default/inputs.confto$SPLUNK_HOME/etc/apps/SA-IdentityAssetExtraction/default/inputs.conf.disabledInvalid key in stanza [identity_manager://ldap_identities] in /Applications/Splunk/etc/apps/SA-IdentityAssetExtraction/default/inputs.conf, line 5: category (value: ldap_identities) Invalid key in stanza [identity_manager://ldap_identities] in /Applications/Splunk/etc/apps/SA-IdentityAssetExtraction/default/inputs.conf, line 6: description (value: List of identities pulled from the SA-ldapsearch) Invalid key in stanza [identity_manager://ldap_identities] in /Applications/Splunk/etc/apps/SA-IdentityAssetExtraction/default/inputs.conf, line 7: target (value: identity) Invalid key in stanza [identity_manager://ldap_identities] in /Applications/Splunk/etc/apps/SA-IdentityAssetExtraction/default/inputs.conf, line 8: url (value: lookup://ldap_identities)
Additional documentation discussing ES assets and identities can be found at http://docs.splunk.com/Documentation/ES/latest/Admin/Addassetandidentitydata
Big thanks to the following individuals who helped contribute to this effort:
- Aaron Kornhauser
- Splunk is a registered trademark of Splunk, Inc.