SlideShare a Scribd company logo

Splunk ES Asset & Identity

Download as PPTX, PDF
Vikram Kumar Yadav
Vikram Kumar Yadav

Splunk ES is one of the premium and widely used add-ons on the Splunk platform for security use cases. Asset and identity are one of the main concepts or we can say the building block of Splunk ES . In this session, we will understand how the asset and identity concept works and what supportive data we required for them to create a lookup.

1 of 23
Download to read offline
Splunk Mumbai User Group  Join splunk_mumbai_usergroup on Slack  Use _mumbai_usergroup for Q&A during session.  Please keep your line muted .  Questions/doubts to be entered in conversation.  Slides, Recording and Feedback form will be posted on the Event Page after the session. https://usergroups.splunk.com/mumbai-splunk-user-group/ 1
• 2+ years of Splunk experience • Project lead at Avotrix • Enterprise Security, ITSI, APM, Phantom & UBA • Creating Blogs. • Splunk trainer About me ! 2
Introduction to Mumbai User Group 3
Splunk ES –Asset & Identity concept 4
Agenda 1. Introduction 2. Splunk ES basics 3. How to manage Incidents 4. Asset and Identities concept 5. Data sources for integrating asset and identity data 6. SA-ldapsearch add-on and ldap query 7. Asset and identity lookup creation Practical 8. Usecase 9. Conclusion 10.Q&A 5
Splunk ES Basics? 6  Incident Management  Adaptive Response  Asset and Identity  Threat Intel  Risk
7 Splunk ES Working to alert and manage incidents CIM compatible data source Investigation review dashboard Create Notable event-by selecting alert action as notable event Correlation searches Update Kvstore collection for incidents Assign incidents to the team Windows Firewall Active directory
8 Asset and Identity concept? Asset and identity concept helps you to find what, why, and where about security use cases and helps you to drilldown more to find root cause. Alert with hostname, computer name, ip , port Alert with hostname, computer name, ip , port , workstation owner details, workstation access details, user role. Get data
9 How to integrate your asset and identity in splunk ES? We are using LDAP or Active Directory: Configure the Splunk Supporting Add-on for Active Directory (SA-ldapsearch) to query your LDAP/Active Directory environment. Manually (monitoring file from servers) Use LDAP to register data in Asset and Identity Manager Use cloud service provider data to register data in Asset and Identity Manager You have below choices for registering asset and identity data in ES
10 Asset and identities data collection method. Technology Asset or Identity data Collection methods Active Directory Both SA-ldapsearch and a custom search. Both SecKit Windows Add On for ES Asset and Identities * LDAP Both SA-ldapsearch and a custom search. CMDB Asset DB Connect for integrating with 3rd Party structured data sources, and a custom search. ServiceNow Both Splunk Add-on for ServiceNow Bit9 Asset Splunk Add-on for Bit9 and a custom search. Cisco ISE Both Splunk Add-on for Cisco ISE and a custom search. Microsoft SCOM Asset Splunk Add-on for Microsoft SCOM and a custom search. Okta Identity Splunk Add-on for Okta and a custom search. * Sophos Asset Splunk Add-on for Sophos and a custom Symantec Endpoint Protection Asset Splunk Add-on for Symantec Endpoint Protection and a custom search. Amazon Web Services (AWS) Asset SecKit AWS Add On for ES Asset and Configuration Management (CMDB) Asset SecKit SA Common tools for populating assets and identities in Enterprise Security and PCI *
Link to LDAP query from SA- ldapsearch documentation: https://docs.splunk.com/Docum entation/SA- LdapSearch/3.0.3/User/Theldap searchcommand 11 SA- ldapsearch add-on configuration
LDAP query to retrieve identity data |ldapsearch domain=<corp.domain.com> search="(&(objectclass=user)(!(objectClass=computer)))" attrs="sAMAccountName,personalTitle,displayName,givenName,sn,mail,telephoneNumber,mobile,manager,department ,whenCreated,userAccountControl" |makemv userAccountControl |search userAccountControl="NORMAL_ACCOUNT" |eval suffix="" |eval priority="medium" |eval category="normal" |eval watchlist="false" |eval endDate="" |table sAMAccountName,personalTitle,displayName,givenName,sn,suffix,mail,telephoneNumber,mobile,manager,priority,depa rtment,category,watchlist,whenCreated,endDate |rename sAMAccountName as identity, personalTitle as prefix, displayName as nick, givenName as first, sn as last, mail as email, telephoneNumber as phone, mobile as phone2, manager as managedBy, department as bunit, whenCreated as startDate Ref: https://conf.splunk.com/files/2019/slides/FN2268.pdf 12
LDAP query to retrieve Asset data |ldapsearch domain=<corp.domain.com> search="(&(objectClass=computer))" attrs="distinguishedName, dNSHostName, managedBy, sAMAccountName“ | rex max_match=5 field=distinguishedName "OU=(?<dn_parsed>[^,]+)" | eval nt_host=replace(sAMAccountName, "$", ""), dns='dNSHostName', owner='managedBy', bunit_split=split(dn, ","), category=lower(replace(mvjoin(dn_parsed, "|"), " ", "_")), priority=case(match(category, "domain_controller|exchange|citrix"), "critical", match(category, "server|disabled"), "high", match(category, "workstation|desktop|mobile|laptop|computer"), "medium", category IN ("staging", "test"), "low", 1==1, "unknown"), is_expected=if(priority IN ("critical", "high"), "true", "false") , country ="India", city="Mumbai", owner=if(isnull(owner),"Admin",owner) | search nt_host!="provAgentgMSA" | rex field=bunit_split "(OU)=(?<bunit>.+)" | rex field=owner "(CN)=(?<owner>w+sw+),OU=" | table ip, mac, nt_host, dns, owner, priority, lat, long, city, country, bunit, category, pci_domain, is_expected, should_timesync, should_update, requires_av Ref: https://conf.splunk.com/files/2019/slides/FN2268.pdf 13
Asset and identity lookup creation 14 Create a custom lookup table file mydata.csv Create a lookup table definition mydata Save Ldapsearch and schedule as report to automatically fill custom lookup Define custom lookup in Splunk ES app >>configure ES>>data enrichment>>identity management Use ldapsearch to generate the custom lookup table data
How my lookup name Changed ? 15 Let’s get into details………..
Asset & Identity Practical 16
Asset and identity lookup management using entity merge command One will spot this under configure and data enrichment:  identity_lookup_expanded | `add_entity_source("administrative_identity_lookup","administrative_identities")` | `add_entity_source("AvotrixIdentity","AvotrixIdentity")` | `add_entity_source("simple_identity_lookup","static_identities")` | eval identity=split(identity, "|"),identity=if(_source=="administrative_identities", mvappend(identity,`get_mv_item0("email")`), identity),identity=if(_source=="AvotrixIdentity", mvappend(identity,`get_mv_item0("email")`,replace(`get_mv_item0("email")`,"@.*","")), identity),identity=if(_source=="static_identities", mvappend(identity,`get_mv_item0("email")`), identity),identity=mvjoin(mvdedup(identity), "|") | table "_source","cim_entity_zone","bunit","category","email","endDate","first","identity","last","managedBy","nick","phone","prefix","priority","startDate","suffix","watchlist","work_city","work_country","work_lat","work_l ong" | eval `iden_mktime_meval(startDate)`,`iden_mktime_meval(endDate)`,identity=mvsort(identity) | sort 0 +identity | inputlookup append=T "identity_lookup_expanded" | entitymerge "identity“  asset_lookup_by_str | `add_entity_source("AvotrixAsset","AvotrixAsset")` | table "_source","cim_entity_zone","bunit","category","city","country","dns","ip","is_expected","lat","long","mac","nt_host","owner","pci_domain","priority","requires_av","should_timesync","should_update" | `make_ip_str` | inputlookup append=T "asset_lookup_by_str" | entitymerge "asset"  asset_lookup_by_cidr | `add_entity_source("AvotrixAsset","AvotrixAsset")` | table "_source","cim_entity_zone","bunit","category","city","country","dns","ip","is_expected","lat","long","mac","nt_host","owner","pci_domain","priority","requires_av","should_timesync","should_update" | `make_ip_cidr` | inputlookup append=T "asset_lookup_by_cidr" | entitymerge "asset" 17
Using Asset & Identity with security use case 18 Expired user login activity to network: An ex-employee tried to access organizational resources , whether it may get failed or passed .It is a threat to the security of your company data . Identity lookup helps you to get additional details here like their account expiry date pulling by LDAP server
Hereweareshowingand dummyuser “Krishna”.Whouseraccountexpirydatewas20th May2021.Nowthrough “Expiryuseraccount activitydetected”alert,wegotanincidentthatsomeoneuseduser“Krishna”andtriedtologinon15th sept2021.Thisisasecuritythreat. Throughauthenticationlogweweregettinginfolike,useranditslastest_access_time .Nowasyoucansee,weusedESidentitylookupget moredetails Expired user login alert use-case
Conclusion 20
Custom lookup VS Asset and identity lookup 21 Lookup A Lookup C Lookup B Writing query for joining 3 lookups to enrich a search No automatic data model Lookup A Lookup C Lookup B Query will be much optimized as using single lookup Asset and identity lookup data gets into data model-Asset And Identities Datamodels are easy to work “identity_lookup_expanded” using single lookup
Q&A 22
23
Ad

Recommended

Splunk Search Optimization
Splunk Search OptimizationSplunk Search Optimization
Splunk Search Optimization
Splunk
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
2020 07-30 elastic agent + ingest management
2020 07-30 elastic agent + ingest management2020 07-30 elastic agent + ingest management
2020 07-30 elastic agent + ingest management
Daliya Spasova
 
Data Models Breakout Session
Data Models Breakout SessionData Models Breakout Session
Data Models Breakout Session
Splunk
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
Puma Security, LLC
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...DevOps and Continuous Delivery Reference Architectures (including Nexus and o...
DevOps and Continuous Delivery Reference Architectures (including Nexus and o...
Sonatype
 
Fleet and elastic agent
Fleet and elastic agentFleet and elastic agent
Fleet and elastic agent
Ismaeel Enjreny
 
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with SplunkReactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Splunk
 
Splunk Overview
Splunk OverviewSplunk Overview
Splunk Overview
Splunk
 
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection ArchitectureSplunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
Blueinfy Solutions
 
SQRRL threat hunting platform
SQRRL threat hunting platformSQRRL threat hunting platform
SQRRL threat hunting platform
DataWorks Summit/Hadoop Summit
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Spv Reddy
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEM
John Hubbard
 
Elastic Security: Unified protection for everyone
Elastic Security: Unified protection for everyoneElastic Security: Unified protection for everyone
Elastic Security: Unified protection for everyone
Elasticsearch
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
DevOps Indonesia
 
Elastic Observability keynote
Elastic Observability keynoteElastic Observability keynote
Elastic Observability keynote
Elasticsearch
 
Splunk Architecture
Splunk ArchitectureSplunk Architecture
Splunk Architecture
Kishore Chaganti
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
Hendri Karisma
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
Power of Splunk Search Processing Language (SPL) ...
Power of Splunk Search Processing Language (SPL) ...Power of Splunk Search Processing Language (SPL) ...
Power of Splunk Search Processing Language (SPL) ...
Splunk
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
ELK in Security Analytics
ELK in Security Analytics ELK in Security Analytics
ELK in Security Analytics
nullowaspmumbai
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security Benchmark
Rahul Khengare
 
Building APIs in an easy way using API Platform
Building APIs in an easy way using API PlatformBuilding APIs in an easy way using API Platform
Building APIs in an easy way using API Platform
Antonio Peric-Mazar
 
Customer Presentation - Financial Services Organization
Customer Presentation - Financial Services OrganizationCustomer Presentation - Financial Services Organization
Customer Presentation - Financial Services Organization
Splunk
 
Ad

More Related Content

What's hot (20)

Reactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with SplunkReactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Splunk
 
Splunk Overview
Splunk OverviewSplunk Overview
Splunk Overview
Splunk
 
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection ArchitectureSplunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
Blueinfy Solutions
 
SQRRL threat hunting platform
SQRRL threat hunting platformSQRRL threat hunting platform
SQRRL threat hunting platform
DataWorks Summit/Hadoop Summit
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Spv Reddy
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEM
John Hubbard
 
Elastic Security: Unified protection for everyone
Elastic Security: Unified protection for everyoneElastic Security: Unified protection for everyone
Elastic Security: Unified protection for everyone
Elasticsearch
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
DevOps Indonesia
 
Elastic Observability keynote
Elastic Observability keynoteElastic Observability keynote
Elastic Observability keynote
Elasticsearch
 
Splunk Architecture
Splunk ArchitectureSplunk Architecture
Splunk Architecture
Kishore Chaganti
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
Hendri Karisma
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
Power of Splunk Search Processing Language (SPL) ...
Power of Splunk Search Processing Language (SPL) ...Power of Splunk Search Processing Language (SPL) ...
Power of Splunk Search Processing Language (SPL) ...
Splunk
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
ELK in Security Analytics
ELK in Security Analytics ELK in Security Analytics
ELK in Security Analytics
nullowaspmumbai
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security Benchmark
Rahul Khengare
 
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with SplunkReactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Splunk
 
Splunk Overview
Splunk OverviewSplunk Overview
Splunk Overview
Splunk
 
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection ArchitectureSplunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
Blueinfy Solutions
 
SQRRL threat hunting platform
SQRRL threat hunting platformSQRRL threat hunting platform
SQRRL threat hunting platform
DataWorks Summit/Hadoop Summit
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Spv Reddy
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEM
John Hubbard
 
Elastic Security: Unified protection for everyone
Elastic Security: Unified protection for everyoneElastic Security: Unified protection for everyone
Elastic Security: Unified protection for everyone
Elasticsearch
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
DevOps Indonesia
 
Elastic Observability keynote
Elastic Observability keynoteElastic Observability keynote
Elastic Observability keynote
Elasticsearch
 
Splunk Architecture
Splunk ArchitectureSplunk Architecture
Splunk Architecture
Kishore Chaganti
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
Hendri Karisma
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
Power of Splunk Search Processing Language (SPL) ...
Power of Splunk Search Processing Language (SPL) ...Power of Splunk Search Processing Language (SPL) ...
Power of Splunk Search Processing Language (SPL) ...
Splunk
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
ELK in Security Analytics
ELK in Security Analytics ELK in Security Analytics
ELK in Security Analytics
nullowaspmumbai
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security Benchmark
Rahul Khengare
 

Similar to Splunk ES Asset & Identity (20)

Building APIs in an easy way using API Platform
Building APIs in an easy way using API PlatformBuilding APIs in an easy way using API Platform
Building APIs in an easy way using API Platform
Antonio Peric-Mazar
 
Customer Presentation - Financial Services Organization
Customer Presentation - Financial Services OrganizationCustomer Presentation - Financial Services Organization
Customer Presentation - Financial Services Organization
Splunk
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
Splunk
 
Prototyping applications with heroku and elasticsearch
Prototyping applications with heroku and elasticsearch Prototyping applications with heroku and elasticsearch
Prototyping applications with heroku and elasticsearch
protofy
 
Day 1 - Technical Bootcamp azure synapse analytics
Day 1 - Technical Bootcamp azure synapse analyticsDay 1 - Technical Bootcamp azure synapse analytics
Day 1 - Technical Bootcamp azure synapse analytics
Armand272
 
Application Development on Metapod
Application Development on MetapodApplication Development on Metapod
Application Development on Metapod
Cisco DevNet
 
SplunkLive! Introduction to the Splunk Developer Platform
SplunkLive! Introduction to the Splunk Developer PlatformSplunkLive! Introduction to the Splunk Developer Platform
SplunkLive! Introduction to the Splunk Developer Platform
Splunk
 
Azure Data Factory v2
Azure Data Factory v2Azure Data Factory v2
Azure Data Factory v2
inovex GmbH
 
SplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk Enterprise
Splunk
 
Splunk What's New - Nov 2014
Splunk What's New - Nov 2014Splunk What's New - Nov 2014
Splunk What's New - Nov 2014
Hal Rottenberg
 
Integrating Splunk into your Spring Applications
Integrating Splunk into your Spring ApplicationsIntegrating Splunk into your Spring Applications
Integrating Splunk into your Spring Applications
Damien Dallimore
 
9 design factors for cloud applications
9 design factors for cloud applications9 design factors for cloud applications
9 design factors for cloud applications
uEngine Solutions
 
Introduction to Elasticsearch with basics of Lucene
Introduction to Elasticsearch with basics of LuceneIntroduction to Elasticsearch with basics of Lucene
Introduction to Elasticsearch with basics of Lucene
Rahul Jain
 
ACM BPM and elasticsearch AMIS25
ACM BPM and elasticsearch AMIS25ACM BPM and elasticsearch AMIS25
ACM BPM and elasticsearch AMIS25
Getting value from IoT, Integration and Data Analytics
 
Archonnex at ICPSR
Archonnex at ICPSRArchonnex at ICPSR
Archonnex at ICPSR
Harshakumar Ummerpillai
 
Data models pivot with splunk break out session
Data models pivot with splunk break out sessionData models pivot with splunk break out session
Data models pivot with splunk break out session
Georg Knon
 
SplunkLive! Analytics with Splunk Enterprise
SplunkLive! Analytics with Splunk EnterpriseSplunkLive! Analytics with Splunk Enterprise
SplunkLive! Analytics with Splunk Enterprise
Splunk
 
Getting Started with Splunk Breakout Session
Getting Started with Splunk Breakout SessionGetting Started with Splunk Breakout Session
Getting Started with Splunk Breakout Session
Splunk
 
Educause Annual 2007
Educause Annual 2007Educause Annual 2007
Educause Annual 2007
Neil Matatall
 
Azure sentinel
Azure sentinelAzure sentinel
Azure sentinel
Marius Sandbu
 
Building APIs in an easy way using API Platform
Building APIs in an easy way using API PlatformBuilding APIs in an easy way using API Platform
Building APIs in an easy way using API Platform
Antonio Peric-Mazar
 
Customer Presentation - Financial Services Organization
Customer Presentation - Financial Services OrganizationCustomer Presentation - Financial Services Organization
Customer Presentation - Financial Services Organization
Splunk
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
Splunk
 
Prototyping applications with heroku and elasticsearch
Prototyping applications with heroku and elasticsearch Prototyping applications with heroku and elasticsearch
Prototyping applications with heroku and elasticsearch
protofy
 
Day 1 - Technical Bootcamp azure synapse analytics
Day 1 - Technical Bootcamp azure synapse analyticsDay 1 - Technical Bootcamp azure synapse analytics
Day 1 - Technical Bootcamp azure synapse analytics
Armand272
 
Application Development on Metapod
Application Development on MetapodApplication Development on Metapod
Application Development on Metapod
Cisco DevNet
 
SplunkLive! Introduction to the Splunk Developer Platform
SplunkLive! Introduction to the Splunk Developer PlatformSplunkLive! Introduction to the Splunk Developer Platform
SplunkLive! Introduction to the Splunk Developer Platform
Splunk
 
Azure Data Factory v2
Azure Data Factory v2Azure Data Factory v2
Azure Data Factory v2
inovex GmbH
 
SplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk Enterprise
Splunk
 
Splunk What's New - Nov 2014
Splunk What's New - Nov 2014Splunk What's New - Nov 2014
Splunk What's New - Nov 2014
Hal Rottenberg
 
Integrating Splunk into your Spring Applications
Integrating Splunk into your Spring ApplicationsIntegrating Splunk into your Spring Applications
Integrating Splunk into your Spring Applications
Damien Dallimore
 
9 design factors for cloud applications
9 design factors for cloud applications9 design factors for cloud applications
9 design factors for cloud applications
uEngine Solutions
 
Introduction to Elasticsearch with basics of Lucene
Introduction to Elasticsearch with basics of LuceneIntroduction to Elasticsearch with basics of Lucene
Introduction to Elasticsearch with basics of Lucene
Rahul Jain
 
ACM BPM and elasticsearch AMIS25
ACM BPM and elasticsearch AMIS25ACM BPM and elasticsearch AMIS25
ACM BPM and elasticsearch AMIS25
Getting value from IoT, Integration and Data Analytics
 
Archonnex at ICPSR
Archonnex at ICPSRArchonnex at ICPSR
Archonnex at ICPSR
Harshakumar Ummerpillai
 
Data models pivot with splunk break out session
Data models pivot with splunk break out sessionData models pivot with splunk break out session
Data models pivot with splunk break out session
Georg Knon
 
SplunkLive! Analytics with Splunk Enterprise
SplunkLive! Analytics with Splunk EnterpriseSplunkLive! Analytics with Splunk Enterprise
SplunkLive! Analytics with Splunk Enterprise
Splunk
 
Getting Started with Splunk Breakout Session
Getting Started with Splunk Breakout SessionGetting Started with Splunk Breakout Session
Getting Started with Splunk Breakout Session
Splunk
 
Educause Annual 2007
Educause Annual 2007Educause Annual 2007
Educause Annual 2007
Neil Matatall
 
Azure sentinel
Azure sentinelAzure sentinel
Azure sentinel
Marius Sandbu
 
Ad

Recently uploaded (20)

LDMMIA Reiki Master Spring 2025 Mini Updates
LDMMIA Reiki Master Spring 2025 Mini UpdatesLDMMIA Reiki Master Spring 2025 Mini Updates
LDMMIA Reiki Master Spring 2025 Mini Updates
LDM Mia eStudios
 
CBSE - Grade 8 - Science - Chemistry - Metals and Non Metals - Worksheet
CBSE - Grade 8 - Science - Chemistry - Metals and Non Metals - WorksheetCBSE - Grade 8 - Science - Chemistry - Metals and Non Metals - Worksheet
CBSE - Grade 8 - Science - Chemistry - Metals and Non Metals - Worksheet
Sritoma Majumder
 
Studying Drama: Definition, types and elements
Studying Drama: Definition, types and elementsStudying Drama: Definition, types and elements
Studying Drama: Definition, types and elements
AbdelFattahAdel2
 
Unit 4: Long term- Capital budgeting and its types
Unit 4: Long term- Capital budgeting and its typesUnit 4: Long term- Capital budgeting and its types
Unit 4: Long term- Capital budgeting and its types
bharath321164
 
UNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACY
UNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACYUNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACY
UNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACY
DR.PRISCILLA MARY J
 
Understanding P–N Junction Semiconductors: A Beginner’s Guide
Understanding P–N Junction Semiconductors: A Beginner’s GuideUnderstanding P–N Junction Semiconductors: A Beginner’s Guide
Understanding P–N Junction Semiconductors: A Beginner’s Guide
GS Virdi
 
Diabetic neuropathy peripheral autonomic
Diabetic neuropathy peripheral autonomicDiabetic neuropathy peripheral autonomic
Diabetic neuropathy peripheral autonomic
Pankaj Patawari
 
Timber Pitch Roof Construction Measurement-2024.pptx
Timber Pitch Roof Construction Measurement-2024.pptxTimber Pitch Roof Construction Measurement-2024.pptx
Timber Pitch Roof Construction Measurement-2024.pptx
Tantish QS, UTM
 
Metamorphosis: Life's Transformative Journey
Metamorphosis: Life's Transformative JourneyMetamorphosis: Life's Transformative Journey
Metamorphosis: Life's Transformative Journey
Arshad Shaikh
 
To study the nervous system of insect.pptx
To study the nervous system of insect.pptxTo study the nervous system of insect.pptx
To study the nervous system of insect.pptx
Arshad Shaikh
 
Handling Multiple Choice Responses: Fortune Effiong.pptx
Handling Multiple Choice Responses: Fortune Effiong.pptxHandling Multiple Choice Responses: Fortune Effiong.pptx
Handling Multiple Choice Responses: Fortune Effiong.pptx
AuthorAIDNationalRes
 
GDGLSPGCOER - Git and GitHub Workshop.pptx
GDGLSPGCOER - Git and GitHub Workshop.pptxGDGLSPGCOER - Git and GitHub Workshop.pptx
GDGLSPGCOER - Git and GitHub Workshop.pptx
azeenhodekar
 
Social Problem-Unemployment .pptx notes for Physiotherapy Students
Social Problem-Unemployment .pptx notes for Physiotherapy StudentsSocial Problem-Unemployment .pptx notes for Physiotherapy Students
Social Problem-Unemployment .pptx notes for Physiotherapy Students
DrNidhiAgarwal
 
High Performance Liquid Chromatography .pptx
High Performance Liquid Chromatography .pptxHigh Performance Liquid Chromatography .pptx
High Performance Liquid Chromatography .pptx
Ayush Srivastava
 
Vitamins Chapter-7, Biochemistry and clinical pathology, D.Pharm 2nd year
Vitamins Chapter-7, Biochemistry and clinical pathology, D.Pharm 2nd yearVitamins Chapter-7, Biochemistry and clinical pathology, D.Pharm 2nd year
Vitamins Chapter-7, Biochemistry and clinical pathology, D.Pharm 2nd year
ARUN KUMAR
 
Introduction to Vibe Coding and Vibe Engineering
Introduction to Vibe Coding and Vibe EngineeringIntroduction to Vibe Coding and Vibe Engineering
Introduction to Vibe Coding and Vibe Engineering
Damian T. Gordon
 
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...
Library Association of Ireland
 
To study Digestive system of insect.pptx
To study Digestive system of insect.pptxTo study Digestive system of insect.pptx
To study Digestive system of insect.pptx
Arshad Shaikh
 
How to manage Multiple Warehouses for multiple floors in odoo point of sale
How to manage Multiple Warehouses for multiple floors in odoo point of saleHow to manage Multiple Warehouses for multiple floors in odoo point of sale
How to manage Multiple Warehouses for multiple floors in odoo point of sale
Celine George
 
SPRING FESTIVITIES - UK AND USA -
SPRING FESTIVITIES - UK AND USA -SPRING FESTIVITIES - UK AND USA -
SPRING FESTIVITIES - UK AND USA -
Colégio Santa Teresinha
 
LDMMIA Reiki Master Spring 2025 Mini Updates
LDMMIA Reiki Master Spring 2025 Mini UpdatesLDMMIA Reiki Master Spring 2025 Mini Updates
LDMMIA Reiki Master Spring 2025 Mini Updates
LDM Mia eStudios
 
CBSE - Grade 8 - Science - Chemistry - Metals and Non Metals - Worksheet
CBSE - Grade 8 - Science - Chemistry - Metals and Non Metals - WorksheetCBSE - Grade 8 - Science - Chemistry - Metals and Non Metals - Worksheet
CBSE - Grade 8 - Science - Chemistry - Metals and Non Metals - Worksheet
Sritoma Majumder
 
Studying Drama: Definition, types and elements
Studying Drama: Definition, types and elementsStudying Drama: Definition, types and elements
Studying Drama: Definition, types and elements
AbdelFattahAdel2
 
Unit 4: Long term- Capital budgeting and its types
Unit 4: Long term- Capital budgeting and its typesUnit 4: Long term- Capital budgeting and its types
Unit 4: Long term- Capital budgeting and its types
bharath321164
 
UNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACY
UNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACYUNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACY
UNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACY
DR.PRISCILLA MARY J
 
Understanding P–N Junction Semiconductors: A Beginner’s Guide
Understanding P–N Junction Semiconductors: A Beginner’s GuideUnderstanding P–N Junction Semiconductors: A Beginner’s Guide
Understanding P–N Junction Semiconductors: A Beginner’s Guide
GS Virdi
 
Diabetic neuropathy peripheral autonomic
Diabetic neuropathy peripheral autonomicDiabetic neuropathy peripheral autonomic
Diabetic neuropathy peripheral autonomic
Pankaj Patawari
 
Timber Pitch Roof Construction Measurement-2024.pptx
Timber Pitch Roof Construction Measurement-2024.pptxTimber Pitch Roof Construction Measurement-2024.pptx
Timber Pitch Roof Construction Measurement-2024.pptx
Tantish QS, UTM
 
Metamorphosis: Life's Transformative Journey
Metamorphosis: Life's Transformative JourneyMetamorphosis: Life's Transformative Journey
Metamorphosis: Life's Transformative Journey
Arshad Shaikh
 
To study the nervous system of insect.pptx
To study the nervous system of insect.pptxTo study the nervous system of insect.pptx
To study the nervous system of insect.pptx
Arshad Shaikh
 
Handling Multiple Choice Responses: Fortune Effiong.pptx
Handling Multiple Choice Responses: Fortune Effiong.pptxHandling Multiple Choice Responses: Fortune Effiong.pptx
Handling Multiple Choice Responses: Fortune Effiong.pptx
AuthorAIDNationalRes
 
GDGLSPGCOER - Git and GitHub Workshop.pptx
GDGLSPGCOER - Git and GitHub Workshop.pptxGDGLSPGCOER - Git and GitHub Workshop.pptx
GDGLSPGCOER - Git and GitHub Workshop.pptx
azeenhodekar
 
Social Problem-Unemployment .pptx notes for Physiotherapy Students
Social Problem-Unemployment .pptx notes for Physiotherapy StudentsSocial Problem-Unemployment .pptx notes for Physiotherapy Students
Social Problem-Unemployment .pptx notes for Physiotherapy Students
DrNidhiAgarwal
 
High Performance Liquid Chromatography .pptx
High Performance Liquid Chromatography .pptxHigh Performance Liquid Chromatography .pptx
High Performance Liquid Chromatography .pptx
Ayush Srivastava
 
Vitamins Chapter-7, Biochemistry and clinical pathology, D.Pharm 2nd year
Vitamins Chapter-7, Biochemistry and clinical pathology, D.Pharm 2nd yearVitamins Chapter-7, Biochemistry and clinical pathology, D.Pharm 2nd year
Vitamins Chapter-7, Biochemistry and clinical pathology, D.Pharm 2nd year
ARUN KUMAR
 
Introduction to Vibe Coding and Vibe Engineering
Introduction to Vibe Coding and Vibe EngineeringIntroduction to Vibe Coding and Vibe Engineering
Introduction to Vibe Coding and Vibe Engineering
Damian T. Gordon
 
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...
Library Association of Ireland
 
To study Digestive system of insect.pptx
To study Digestive system of insect.pptxTo study Digestive system of insect.pptx
To study Digestive system of insect.pptx
Arshad Shaikh
 
How to manage Multiple Warehouses for multiple floors in odoo point of sale
How to manage Multiple Warehouses for multiple floors in odoo point of saleHow to manage Multiple Warehouses for multiple floors in odoo point of sale
How to manage Multiple Warehouses for multiple floors in odoo point of sale
Celine George
 
SPRING FESTIVITIES - UK AND USA -
SPRING FESTIVITIES - UK AND USA -SPRING FESTIVITIES - UK AND USA -
SPRING FESTIVITIES - UK AND USA -
Colégio Santa Teresinha
 
Ad

Splunk ES Asset & Identity

  • 1. Splunk Mumbai User Group  Join splunk_mumbai_usergroup on Slack  Use _mumbai_usergroup for Q&A during session.  Please keep your line muted .  Questions/doubts to be entered in conversation.  Slides, Recording and Feedback form will be posted on the Event Page after the session. https://usergroups.splunk.com/mumbai-splunk-user-group/ 1
  • 2. • 2+ years of Splunk experience • Project lead at Avotrix • Enterprise Security, ITSI, APM, Phantom & UBA • Creating Blogs. • Splunk trainer About me ! 2
  • 3. Introduction to Mumbai User Group 3
  • 4. Splunk ES –Asset & Identity concept 4
  • 5. Agenda 1. Introduction 2. Splunk ES basics 3. How to manage Incidents 4. Asset and Identities concept 5. Data sources for integrating asset and identity data 6. SA-ldapsearch add-on and ldap query 7. Asset and identity lookup creation Practical 8. Usecase 9. Conclusion 10.Q&A 5
  • 6. Splunk ES Basics? 6  Incident Management  Adaptive Response  Asset and Identity  Threat Intel  Risk
  • 7. 7 Splunk ES Working to alert and manage incidents CIM compatible data source Investigation review dashboard Create Notable event-by selecting alert action as notable event Correlation searches Update Kvstore collection for incidents Assign incidents to the team Windows Firewall Active directory
  • 8. 8 Asset and Identity concept? Asset and identity concept helps you to find what, why, and where about security use cases and helps you to drilldown more to find root cause. Alert with hostname, computer name, ip , port Alert with hostname, computer name, ip , port , workstation owner details, workstation access details, user role. Get data
  • 9. 9 How to integrate your asset and identity in splunk ES? We are using LDAP or Active Directory: Configure the Splunk Supporting Add-on for Active Directory (SA-ldapsearch) to query your LDAP/Active Directory environment. Manually (monitoring file from servers) Use LDAP to register data in Asset and Identity Manager Use cloud service provider data to register data in Asset and Identity Manager You have below choices for registering asset and identity data in ES
  • 10. 10 Asset and identities data collection method. Technology Asset or Identity data Collection methods Active Directory Both SA-ldapsearch and a custom search. Both SecKit Windows Add On for ES Asset and Identities * LDAP Both SA-ldapsearch and a custom search. CMDB Asset DB Connect for integrating with 3rd Party structured data sources, and a custom search. ServiceNow Both Splunk Add-on for ServiceNow Bit9 Asset Splunk Add-on for Bit9 and a custom search. Cisco ISE Both Splunk Add-on for Cisco ISE and a custom search. Microsoft SCOM Asset Splunk Add-on for Microsoft SCOM and a custom search. Okta Identity Splunk Add-on for Okta and a custom search. * Sophos Asset Splunk Add-on for Sophos and a custom Symantec Endpoint Protection Asset Splunk Add-on for Symantec Endpoint Protection and a custom search. Amazon Web Services (AWS) Asset SecKit AWS Add On for ES Asset and Configuration Management (CMDB) Asset SecKit SA Common tools for populating assets and identities in Enterprise Security and PCI *
  • 11. Link to LDAP query from SA- ldapsearch documentation: https://docs.splunk.com/Docum entation/SA- LdapSearch/3.0.3/User/Theldap searchcommand 11 SA- ldapsearch add-on configuration
  • 12. LDAP query to retrieve identity data |ldapsearch domain=<corp.domain.com> search="(&(objectclass=user)(!(objectClass=computer)))" attrs="sAMAccountName,personalTitle,displayName,givenName,sn,mail,telephoneNumber,mobile,manager,department ,whenCreated,userAccountControl" |makemv userAccountControl |search userAccountControl="NORMAL_ACCOUNT" |eval suffix="" |eval priority="medium" |eval category="normal" |eval watchlist="false" |eval endDate="" |table sAMAccountName,personalTitle,displayName,givenName,sn,suffix,mail,telephoneNumber,mobile,manager,priority,depa rtment,category,watchlist,whenCreated,endDate |rename sAMAccountName as identity, personalTitle as prefix, displayName as nick, givenName as first, sn as last, mail as email, telephoneNumber as phone, mobile as phone2, manager as managedBy, department as bunit, whenCreated as startDate Ref: https://conf.splunk.com/files/2019/slides/FN2268.pdf 12
  • 13. LDAP query to retrieve Asset data |ldapsearch domain=<corp.domain.com> search="(&(objectClass=computer))" attrs="distinguishedName, dNSHostName, managedBy, sAMAccountName“ | rex max_match=5 field=distinguishedName "OU=(?<dn_parsed>[^,]+)" | eval nt_host=replace(sAMAccountName, "$", ""), dns='dNSHostName', owner='managedBy', bunit_split=split(dn, ","), category=lower(replace(mvjoin(dn_parsed, "|"), " ", "_")), priority=case(match(category, "domain_controller|exchange|citrix"), "critical", match(category, "server|disabled"), "high", match(category, "workstation|desktop|mobile|laptop|computer"), "medium", category IN ("staging", "test"), "low", 1==1, "unknown"), is_expected=if(priority IN ("critical", "high"), "true", "false") , country ="India", city="Mumbai", owner=if(isnull(owner),"Admin",owner) | search nt_host!="provAgentgMSA" | rex field=bunit_split "(OU)=(?<bunit>.+)" | rex field=owner "(CN)=(?<owner>w+sw+),OU=" | table ip, mac, nt_host, dns, owner, priority, lat, long, city, country, bunit, category, pci_domain, is_expected, should_timesync, should_update, requires_av Ref: https://conf.splunk.com/files/2019/slides/FN2268.pdf 13
  • 14. Asset and identity lookup creation 14 Create a custom lookup table file mydata.csv Create a lookup table definition mydata Save Ldapsearch and schedule as report to automatically fill custom lookup Define custom lookup in Splunk ES app >>configure ES>>data enrichment>>identity management Use ldapsearch to generate the custom lookup table data
  • 15. How my lookup name Changed ? 15 Let’s get into details………..
  • 17. Asset and identity lookup management using entity merge command One will spot this under configure and data enrichment:  identity_lookup_expanded | `add_entity_source("administrative_identity_lookup","administrative_identities")` | `add_entity_source("AvotrixIdentity","AvotrixIdentity")` | `add_entity_source("simple_identity_lookup","static_identities")` | eval identity=split(identity, "|"),identity=if(_source=="administrative_identities", mvappend(identity,`get_mv_item0("email")`), identity),identity=if(_source=="AvotrixIdentity", mvappend(identity,`get_mv_item0("email")`,replace(`get_mv_item0("email")`,"@.*","")), identity),identity=if(_source=="static_identities", mvappend(identity,`get_mv_item0("email")`), identity),identity=mvjoin(mvdedup(identity), "|") | table "_source","cim_entity_zone","bunit","category","email","endDate","first","identity","last","managedBy","nick","phone","prefix","priority","startDate","suffix","watchlist","work_city","work_country","work_lat","work_l ong" | eval `iden_mktime_meval(startDate)`,`iden_mktime_meval(endDate)`,identity=mvsort(identity) | sort 0 +identity | inputlookup append=T "identity_lookup_expanded" | entitymerge "identity“  asset_lookup_by_str | `add_entity_source("AvotrixAsset","AvotrixAsset")` | table "_source","cim_entity_zone","bunit","category","city","country","dns","ip","is_expected","lat","long","mac","nt_host","owner","pci_domain","priority","requires_av","should_timesync","should_update" | `make_ip_str` | inputlookup append=T "asset_lookup_by_str" | entitymerge "asset"  asset_lookup_by_cidr | `add_entity_source("AvotrixAsset","AvotrixAsset")` | table "_source","cim_entity_zone","bunit","category","city","country","dns","ip","is_expected","lat","long","mac","nt_host","owner","pci_domain","priority","requires_av","should_timesync","should_update" | `make_ip_cidr` | inputlookup append=T "asset_lookup_by_cidr" | entitymerge "asset" 17
  • 18. Using Asset & Identity with security use case 18 Expired user login activity to network: An ex-employee tried to access organizational resources , whether it may get failed or passed .It is a threat to the security of your company data . Identity lookup helps you to get additional details here like their account expiry date pulling by LDAP server
  • 19. Hereweareshowingand dummyuser “Krishna”.Whouseraccountexpirydatewas20th May2021.Nowthrough “Expiryuseraccount activitydetected”alert,wegotanincidentthatsomeoneuseduser“Krishna”andtriedtologinon15th sept2021.Thisisasecuritythreat. Throughauthenticationlogweweregettinginfolike,useranditslastest_access_time .Nowasyoucansee,weusedESidentitylookupget moredetails Expired user login alert use-case
  • 21. Custom lookup VS Asset and identity lookup 21 Lookup A Lookup C Lookup B Writing query for joining 3 lookups to enrich a search No automatic data model Lookup A Lookup C Lookup B Query will be much optimized as using single lookup Asset and identity lookup data gets into data model-Asset And Identities Datamodels are easy to work “identity_lookup_expanded” using single lookup
  • 23. 23