Machines, People, and Categories, Oh My!

Let’s say you’re working with Enterprise Security and you need to figure out how to put more devices into the asset and identity correlation framework. Here are some resources to get you started!

There are two useful types of data to integrate: lists of assets or identities, and attributes of assets or identities. In both cases, it may also be interesting to enable ad hoc, real-time queries of your data source for individual terms.

A list can be dumped from a directory, systems management tool, asset discovery system, or the like. These are typically accessed via DB Connect or Splunk Support for Active Directory. Other ways to get at this data include modular inputs to query web-based APIs. A useful attribute set can be dumped from any system that gathers the data, such as unmanaged device detection scanners or single sign on services.

  1. Because the framework is a component of the Splunk App for Enterprise Security, you will need to have a license to complete integration. However, you can still get started with a basic Splunk download.
  2. Review the documentation for ES Asset and Identity correlation inputs.
  3. Decide how to download and integrate the asset or identity content:
    1. If your content is accessible via database or LDAP, you should be able to simply follow the ES documentation; some internal notes, a tech brief, or a blog post explaining how you’re using these tools will be sufficient to start. Depending on what you want to do, an Add-on app that packages your configurations is certainly an option too.
    2. An Add-on is definitely in order if you need to use an API. Read on for more details.
  4. Review the documentation for Splunk Add-on construction if you want to go further and package your new data gathering tool for someone else to use. Here’s an overview:
  • /bin holds any scripts required. Python is the preferred tool for scripting in Splunk. You will want to consider at least the following:
    • a bulk download script to get large amounts of content. This will be used by a saved search to gather the data and output a CSV format for ES to consume.
    • an optional ad hoc query script to ask inline asset or identity questions about single terms. This will be used by a workflow action to power interactive queries.
    • a setup handler to enable the Splunk admin to configure and store your system’s login credentials safely. This requires some extra work, but if you look at some supported add-ons like AWS you may find good examples to follow.
  • /default holds configurations. You will want to consider the following:
    • app.conf is required to upload any App or Add-on.
    • setup.xml and restmap.conf are required to use a setup handler if you want to manage credentials
    • macros.conf and commands.conf allow access from the Splunk search bar to the scripts in /bin.
    • inputs.conf and savedsearches.conf are used to enable bulk content integration
    • workflow_actions.conf, transforms.conf, and the /lookups folder are used to enable ad hoc use of content.

Jack Coates

Posted by