Is_expected=if(priority IN ("critical", "high"), "true", "false"), country ="India", city="Mumbai", "workstation|desktop|mobile|laptop|computer"), "medium", category IN ("staging", "test"), "low", 1=1, "unknown"), "domain_controller|exchange|citrix"), "critical", match(category, "server|disabled"), "high", match(category, | eval nt_host=replace(sAMAccountName, "$", ""), dns='dNSHostName', owner='managedBy', bunit_split=split(dn, ","),Ĭategory=lower(replace(mvjoin(dn_parsed, "|"), " ", "_")), priority=case(match(category, | rex max_match=5 field=distinguishedName "OU=(?+)" Search="(&(objectClass=computer))" attrs="distinguishedName, dNSHostName, managedBy, sAMAccountName“ |rename sAMAccountName as identity, personalTitle as prefix, displayName as nick, givenName as first, sn as last, mailĪs email, telephoneNumber as phone, mobile as phone2, manager as managedBy, department as bunit, whenCreated as Rtment,category,watchlist,whenCreated,endDate SAMAccountName,personalTitle,displayName,givenName,sn,suffix,mail,telephoneNumber,mobile,manager,priority,depa |search userAccountControl="NORMAL_ACCOUNT" Search="(&(objectclass=user)(!(objectClass=computer)))"Īttrs="sAMAccountName,personalTitle,displayName,givenName,sn,mail,telephoneNumber,mobile,manager,department Symantec Endpoint Protection Asset Splunk Add-on for Symantec EndpointĪmazon Web Services (AWS) Asset SecKit AWS Add On for ES Asset andĪsset SecKit SA Common tools for populating assetsĪnd identities in Enterprise Security and PCI Sophos Asset Splunk Add-on for Sophos and a custom Okta Identity Splunk Add-on for Okta and a custom search. Microsoft SCOM Asset Splunk Add-on for Microsoft SCOM and a
ServiceNow Both Splunk Add-on for ServiceNowīit9 Asset Splunk Add-on for Bit9 and a custom search.Ĭisco ISE Both Splunk Add-on for Cisco ISE and a custom Structured data sources, and a custom search. LDAP Both SA-ldapsearch and a custom search.ĬMDB Asset DB Connect for integrating with 3rd Party
#Splunk sa cim windows
Technology Asset or Identity data Collection methodsĪctive Directory Both SA-ldapsearch and a custom search.īoth SecKit Windows Add On for ES Asset and You have below choices for registering asset and identity data in ES To query your LDAP/Active Directory environment. We are using LDAP or Active Directory: Configure the Splunk Supporting Add-on for Active Directory (SA-ldapsearch)
#Splunk sa cim how to
How to integrate your asset and identity in splunk You to drilldown more to find root cause. Splunk ES Working to alert and manage incidentsĪsset and identity concept helps you to find what, why, and where about security use cases and helps Asset and identity lookup creation Practical Data sources for integrating asset and identity dataħ. Enterprise Security, ITSI, APM, Phantom & UBAĥ.Posted on the Event Page after the session. Slides, Recording and Feedback form will be Questions/doubts to be entered in conversation.
0 kommentar(er)
