Configure a new asset or identity list in Splunk Enterprise Security
Configure a new asset or identity lookup in Splunk Enterprise Security. This multistep process adds the lookup in Splunk Enterprise Security and defines the lookup for the merge process.
Prerequisites
- Collect and extract asset and identity data in Splunk Enterprise Security.
- Format the asset or identity list as a lookup in Splunk Enterprise Security. Assets and identities framework supports only exact-matching of IPv6 addresses.
Steps
Add the new lookup table file
These lookup table files are consumed by the asset and identity framework and merged together. The product of the merge is called an "expanded lookup."
- From the Splunk menu bar, select Settings > Lookups > Lookup table files.
- Click New.
- Select a Destination App of SA-IdentityManagement.
- Select the lookup file to upload.
- Type the Destination filename that the lookup table file should have on the search head. The name should include the filename extension. For example, network_assets_from_CMDB.csv
- Click Save to save the lookup table file and return to the list of lookup table files.
Set permissions on the lookup table file to share it with Splunk Enterprise Security
Add a new lookup definition
- From the Splunk menu bar, select Settings > Lookups > Lookup definitions.
- Click New.
- Select a Destination App of SA-IdentityManagement.
- Type a name for the lookup source. This name must match the name defined later in the input stanza definition on the Identity Management dashboard. For example, network_assets_from_CMDB.
- Select a Type of File based.
- Select the lookup table file created. For example, select network_assets_from_CMDB.csv.
- Click Save.