Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Asset and identity from multiple domains

Amire22
Engager
Wednesday

Hello

I have a search head configured with assets and identity from current ad domain.

I have 5 more ad domains without trust and on different networks.

In each domain / network I have a HF sending data to indexers.

How can I set those domains to send assets and identity information to my search head?

Thank you

Splunk Enterprise Security  

0 Karma
Reply

Amire22
Engager
Thursday

Thank you!

I will test option B.

0 Karma
Reply

livehybrid
Super Champion
Wednesday

Hi @Amire22 

I think you should be able to configure additional domains exactly the same way you did the first one; asset & identity data must ultimately reside in lookups (CSV or KV-store) on the ES search head, those files are not forwarded automatically by indexers/HFs.

  • Option A – query the directories directly from ES
    • Install SA-ldapsearch (or the Splunk Add-on for Microsoft AD) on the ES search head.
    • Create one stanza per domain with its own server, bindDN and credentials.
    • Schedule one ldapsearch per domain that writes to a single lookup (e.g. identities.csv, assets.csv). ES will ingest those lookups when the “Identity – Lookup Gen” and “Asset – Lookup Gen” searches run.
  • Option B – collect on each HF and ship as events
    • Install SA-ldapsearch on a HF in each domain.
    • Schedule a search or scripted input that outputs CSV-formatted events and forward them to a dedicated index, e.g. index=identity.
    • Use a search to pull the data into a lookup:
      Essential SPL example
index=identity sourcetype=ldap_identities
| eval category="normal"
| lookup update=true identities.csv identity OUTPUTNEW *
| outputlookup identities.csv


ES does not care where the data comes from as long as the final lookups exist on the search head. Multiple domains, lack of trust, or separate networks are irrelevant; you only need LDAP connectivity from whichever Splunk instance is executing the LDAP query.

You should probably add a domain/prefix field to your A&I lookups to show which domain the entity originates.
If you end up with a large CSV lookup consider switching to KV-store lookup.

More info on apps/addons for bringing in assets/identities info can be found at https://help.splunk.com/en/splunk-enterprise-security-8/administer/8.0/asset-and-identity-management...

 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Get Updates on the Splunk Community!

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...

Splunk Answers Content Calendar, June Edition II

Get ready to dive into Splunk Dashboard panels this week! We'll be tackling common questions around ...

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
OSZAR »