Revise the miscellaneous settings used by the identity manager framework in Splunk Enterprise Security
You can revise miscellaneous settings that are specific to the identity manager.
Prerequisites
Perform the following prerequisite tasks before starting on these settings:
- Collect and extract asset and identity data in Splunk Enterprise Security.
- Format the asset or identity list as a lookup in Splunk Enterprise Security.
- Configure a new asset or identity list in Splunk Enterprise Security.
Revise how often the identity manager runs
The identity manager runs every 300 seconds (5 minutes) by default. For performance purposes, you can change this to a larger value so it does not run so frequently.
Use the global settings to change the time:
- From the Splunk Enterprise Security menu bar, select Configure > Data Enrichment > Asset and Identity Management.
- Click the Global Settings tab.
- Scroll to the Miscellaneous Settings panel.
- Type a number of seconds in the Time(s) field.
Revise the primary host where the identity manager runs
The identity manager runs on the search head captain by default. If you want to separate search head responsibilities, or if the search head is experiencing performance issues due to resource consumption, then you can change the primary host.
Use the global settings to change the primary host if search head clustering is turned on:
- From the Splunk Enterprise Security menu bar, select Configure > Data Enrichment > Asset and Identity Management.
- Click the Global Settings tab.
- Scroll to the Miscellaneous Settings panel.
- Type a name in the Primary host field that matches the name of a server in the cluster pool.
See System requirements and other deployment considerations for search head clusters.
Add additional context to string lookups based on CIDR blocks
By default, the asset_lookup_by_str lookup does not combine Classless Inter-Domain Routing (CIDR) enrichment in the output results. You can add additional enrichment to your asset and identity lookups based on CIDR blocks. This does not take away any functionality from your asset_lookup_by_cidr lookup.
Automatic lookups run in a certain order to populate enrichment data into empty fields. The order starts with asset_lookup_by_str first, and then asset_lookup_by_cidr is next. Once the string enrichment data is populated into a field, the field is no longer empty, so it does not get filled with CIDR data. Normally your CIDR data is only returned by asset_lookup_by_cidr, but sometimes that results in CIDR enrichment being lost because asset_lookup_by_str runs and matches first. With overlay CIDR turned on, your asset_lookup_by_str will include the CIDR data as well. For more information about automatic lookups and correlation setup, see Manage correlation setup in Splunk Enterprise Security.
To overlay CIDR enrichment into your string lookup results, use the global settings:
- From the Splunk Enterprise Security menu bar, select Configure > Data Enrichment > Asset and Identity Management.
- Select the Global Settings tab.
- Scroll to the Miscellaneous Settings panel.
- Toggle the Overlay CIDR setting to turn on.
- Select Save.
Examples of overlay CIDR
ip address of 192.187.2.94, which is also a match for a CIDR range of 192.187.0.0/16 that has values in the owner field:
ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av
192.187.2.94,,,,owner1,,,,,,,,,,,,
192.187.0.0/16,,,,cidr_owner1,,,,,,,,,,,,
10.0.2.109,,,,owner2,,,,,,,,,,,,
10.0.2.0/24,,,,cidr_owner2,,,,,,,,,,,,
With overlay CIDR turned on, the behavior is to include CIDR field values within the string lookup's output results. When an event comes in that matches both an asset by string and also an asset by CIDR, you see the exact match data for the IP address and the most specific CIDR block data.
Using the search preview for asset_lookup_by_str returns results similar to the following:
| asset | ip | owner | pci_domain |
|---|---|---|---|
| 192.187.2.94 | 192.187.2.94 | owner1cidr_owner1 | untrust |
| 10.0.2.109 | 10.0.2.109 | owner2cidr_owner2 | untrust |
See Use the search preview to test the merge of asset and identity data in Splunk Enterprise Security.
With overlay CIDR turned off, the behavior is not to include any enrichment for CIDR field values in the string lookup's output results.
Using the search preview for asset_lookup_by_str returns results similar to the following:
| asset | ip | owner | pci_domain |
|---|---|---|---|
| 192.187.2.94 | 192.187.2.94 | owner1 | untrust |
| 10.0.2.109 | 10.0.2.109 | owner2 | untrust |
See Use the search preview to test the merge of asset and identity data in Splunk Enterprise Security.
The asset enrichment specific to CIDR fields is still available in the CIDR lookup's output results, just not in the string lookup's output results.
Using the search preview for asset_lookup_by_cidr returns results similar to the following:
| asset | ip | owner | pci_domain |
|---|---|---|---|
| 192.187.0.0/16 | 192.187.0.0/16 | cidr_owner1 | untrust |
| 10.0.2.0/24 | 10.0.2.0/24 | cidr_owner2 | untrust |
See Use the search preview to test the merge of asset and identity data in Splunk Enterprise Security.
The overlay_cidr setting is stored in the [identity_manager] stanza of the inputs.conf file.